From 3c07caae44624898cea43397d6bb65d8a5767a38 Mon Sep 17 00:00:00 2001 From: wittjoe1 <147606163+wittjoe1@users.noreply.github.com> Date: Tue, 6 Feb 2024 08:49:00 +0100 Subject: [PATCH 1/4] Update Secrets_Management_Cheat_Sheet.md minor typo fixing --- cheatsheets/Secrets_Management_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Secrets_Management_Cheat_Sheet.md b/cheatsheets/Secrets_Management_Cheat_Sheet.md index 596e7ae4c3..d0e5b4de19 100644 --- a/cheatsheets/Secrets_Management_Cheat_Sheet.md +++ b/cheatsheets/Secrets_Management_Cheat_Sheet.md @@ -90,7 +90,7 @@ tight security is of utmost importance. Furthermore, in lower level languages like C/C++, it is relatively easy to protect secrets in memory. Thus, it may be worthwhile to implement this practice even if the risk of an attacker gaining access to the memory is low. On the other hand, for -programming languages that rely on garbarge collection, securing secrets in memory +programming languages that rely on garbage collection, securing secrets in memory generally is much more difficult. - **Structures and Classes:** In .NET and Java, do not use immutable structures From 9c3006ad6936be724555d80f30410e425ab8cef1 Mon Sep 17 00:00:00 2001 From: wittjoe1 <147606163+wittjoe1@users.noreply.github.com> Date: Wed, 7 Feb 2024 14:21:17 +0100 Subject: [PATCH 2/4] Update DOM_based_XSS_Prevention_Cheat_Sheet.md fixed typo --- cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md b/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md index 58015bf506..82f0c99091 100644 --- a/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md +++ b/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md @@ -220,7 +220,7 @@ HTML encoded example to highlight a fundamental difference with JavaScript encod <a href=...> ``` -If HTML encoding followed the same semantics as JavaScript encoding. The line above could have possibly worked to render a link. This difference makes JavaScript encoding a less viable weapon in our fight against XSS. +If HTML encoding followed the same semantics as JavaScript encoding, the line above could have possibly worked to render a link. This difference makes JavaScript encoding a less viable weapon in our fight against XSS. ## RULE \#4 - JavaScript Escape Before Inserting Untrusted Data into the CSS Attribute Subcontext within the Execution Context From 3a856e8eb263334ce989e483596d1f38c8e9ce88 Mon Sep 17 00:00:00 2001 From: wittjoe1 <147606163+wittjoe1@users.noreply.github.com> Date: Thu, 22 Feb 2024 17:05:57 +0100 Subject: [PATCH 3/4] Update LDAP_Injection_Prevention_Cheat_Sheet.md - LinqToAD is obsolete and has been removed - LinqToLDAP updated - OWASP Java Encoder Project included This changes should really be validated ! --- .../LDAP_Injection_Prevention_Cheat_Sheet.md | 59 ++++++++++++++----- 1 file changed, 43 insertions(+), 16 deletions(-) diff --git a/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md b/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md index d531fb823d..039cb8271f 100644 --- a/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md +++ b/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md @@ -2,26 +2,28 @@ ## Introduction -This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. +The Lightweight Directory Access Protocol (LDAP) allows an application to remotely perform operations such as searching and modifying records in +directories. LDAP injection results from inadequate input sanitization and validation and allows malicious users to glean restricted information using the +directory service. For general information about LDAP please visit [lightweight directory access protocol (LDAP)](https://www.redhat.com/en/topics/security/what-is-ldap-authentication). LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection). -LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. - -For more information on LDAP Injection attacks, visit [LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection). - -[LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection) attacks are common due to two factors: +This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection) attacks are common due to two factors: 1. The lack of safer, parameterized LDAP query interfaces 2. The widespread use of LDAP to authenticate users to systems. +LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. + Primary Defenses: - Escape all variables using the right LDAP encoding function +- Use a framework that escapes automatically. Additional Defenses: -- Use a framework (like [LINQtoLDAP](https://www.nuget.org/packages/LinqToLdap/) that escapes automatically. +- Least Privilege +- Allow-List Input Validation ## Primary Defenses @@ -39,7 +41,8 @@ or `uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com` -There are certain characters that are considered special characters in a DN. +A whitelist can be used to restrict input to a list of valid characters. Characters and character sequences that must be excluded from whitelists — including +Java Naming and Directory Interface (JNDI) metacharacters and LDAP special characters — are listed in the following list. The [exhaustive list](https://ldapwiki.com/wiki/Wiki.jsp?page=DN%20Escape%20Values) is the following: `\ # + < > , ; " =` and leading or trailing spaces. @@ -76,8 +79,31 @@ For more information on search filter escaping visit [RFC4515](https://datatrack #### Safe Java Escaping Example -- [Prevent LDAP injection](https://wiki.sei.cmu.edu/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=88487534). -- [Legacy OWASP ESAPI for Java DefaultEncoder which includes encodeForLDAP(String) and encodeForDN(String)](https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java). +The following solution uses a whitelist to sanitize user input so that the filter string contains only valid characters. In this code, userSN may contain +only letters and spaces, whereas a password may contain only alphanumeric characters: + +```text +// String userSN = "Sherlock Holmes"; // Valid +// String userPassword = "secret2"; // Valid +// ... beginning of LDAPInjection.searchRecord()... +sc.setSearchScope(SearchControls.SUBTREE_SCOPE); +String base = "dc=example,dc=com"; + +if (!userSN.matches("[\\w\\s]*") || !userPassword.matches("[\\w]*")) { + throw new IllegalArgumentException("Invalid input"); +} + +String filter = "(&(sn = " + userSN + ")(userPassword=" + userPassword + "))"; +// ... remainder of LDAPInjection.searchRecord()... +``` + +When a database field such as a password must include special characters, it is critical to ensure that the authentic data is stored in sanitized form in the +database and also that any user input is normalized before the validation or comparison takes place. Using characters that have special meanings in JNDI +and LDAP in the absence of a comprehensive normalization and whitelisting-based routine is discouraged. Special characters must be transformed to +sanitized, safe values before they are added to the whitelist expression against which input will be validated. Likewise, normalization of user input should +occur before the validation step (source: [Prevent LDAP injection](https://wiki.sei.cmu.edu/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=88487534)). + +For further information visit [OWASP ESAPI Java Encoder Project which includes encodeForLDAP(String) and encodeForDN(String)](https://owasp.org/www-project-java-encoder/). #### Safe C Sharp .NET TBA Example @@ -91,28 +117,29 @@ For more information on search filter escaping visit [RFC4515](https://datatrack ### Defense Option 2: Use Frameworks that Automatically Protect from LDAP Injection -Safe NET Example +#### Safe .NET Example -[LINQ to Active Directory](https://linqtoad.codeplex.com) provides automatic LDAP encoding when building LDAP queries. +We recommend using [LINQ to LDAP](https://www.nuget.org/packages/LinqToLdap/) in DotNet. It provides automatic LDAP encoding when building LDAP queries. +Visit the [Readme file](https://github.com/madhatter22/LinqToLdap/blob/master/README.md) on github. -### Defense Option 3: Additional Defenses +## Additional Defenses Beyond adopting one of the two primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are: - **Least Privilege** - **Allow-List Input Validation** -#### Least Privilege +### Least Privilege To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment. -#### Enabling Bind Authentication +### Enabling Bind Authentication If LDAP protocol is configured with bind Authentication, attackers would not be able to perform LDAP injection attacks because of verification and authorization checks that are performed against valid credentials passed by the user. An attacker can still bypass bind authentication through an anonymous connection or by exploiting the use of unauthenticated bind: Anonymous Bind (LDAP) and Unauthenticated Bind (LDAP). -#### Allow-List Input Validation +### Allow-List Input Validation Input validation can be used to detect unauthorized input before it is passed to the LDAP query. For more information please see the [Input Validation Cheat Sheet](Input_Validation_Cheat_Sheet.md). From 5ed62082b066eecc2a316be583ea700de8ced72b Mon Sep 17 00:00:00 2001 From: wittjoe1 <147606163+wittjoe1@users.noreply.github.com> Date: Fri, 23 Feb 2024 15:39:53 +0100 Subject: [PATCH 4/4] Update LDAP_Injection_Prevention_Cheat_Sheet.md lint fixing --- cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md b/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md index 039cb8271f..094fbaf44f 100644 --- a/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md +++ b/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md @@ -1,5 +1,4 @@ # LDAP Injection Prevention Cheat Sheet - ## Introduction The Lightweight Directory Access Protocol (LDAP) allows an application to remotely perform operations such as searching and modifying records in @@ -82,7 +81,7 @@ For more information on search filter escaping visit [RFC4515](https://datatrack The following solution uses a whitelist to sanitize user input so that the filter string contains only valid characters. In this code, userSN may contain only letters and spaces, whereas a password may contain only alphanumeric characters: -```text +```java // String userSN = "Sherlock Holmes"; // Valid // String userPassword = "secret2"; // Valid // ... beginning of LDAPInjection.searchRecord()... @@ -120,7 +119,7 @@ For further information visit [OWASP ESAPI Java Encoder Project which includes e #### Safe .NET Example We recommend using [LINQ to LDAP](https://www.nuget.org/packages/LinqToLdap/) in DotNet. It provides automatic LDAP encoding when building LDAP queries. -Visit the [Readme file](https://github.com/madhatter22/LinqToLdap/blob/master/README.md) on github. +Contact the [Readme file](https://github.com/madhatter22/LinqToLdap/blob/master/README.md) in the project repository. ## Additional Defenses