Update: LDAP Injection Prevention Cheat Sheet

cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md

@@ -1,27 +1,28 @@
 # LDAP Injection Prevention Cheat Sheet
-
 ## Introduction
 
-This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications.
+The Lightweight Directory Access Protocol (LDAP) allows an application to remotely perform operations such as searching and modifying records in
+directories. LDAP injection results from inadequate input sanitization and validation and allows malicious users to glean restricted information using the
+directory service. For general information about LDAP please visit [lightweight directory access protocol (LDAP)](https://www.redhat.com/en/topics/security/what-is-ldap-authentication).
 
 LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).
 
-LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree.
-
-For more information on LDAP Injection attacks, visit [LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection).
-
-[LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection) attacks are common due to two factors:
+This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [LDAP injection](https://owasp.org/www-community/attacks/LDAP_Injection) attacks are common due to two factors:
 
 1. The lack of safer, parameterized LDAP query interfaces
 2. The widespread use of LDAP to authenticate users to systems.
 
+LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree.
+
 Primary Defenses:
 
 - Escape all variables using the right LDAP encoding function
+- Use a framework that escapes automatically.
 
 Additional Defenses:
 
-- Use a framework (like [LINQtoLDAP](https://www.nuget.org/packages/LinqToLdap/) that escapes automatically.
+- Least Privilege
+- Allow-List Input Validation
 
 ## Primary Defenses
 
@@ -39,7 +40,8 @@ or
 
 `uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com`
 
-There are certain characters that are considered special characters in a DN.
+A whitelist can be used to restrict input to a list of valid characters. Characters and character sequences that must be excluded from whitelists — including
+Java Naming and Directory Interface (JNDI) metacharacters and LDAP special characters — are listed in the following list.
 
 The [exhaustive list](https://ldapwiki.com/wiki/Wiki.jsp?page=DN%20Escape%20Values) is the following: `\ # + < > , ; " =` and leading or trailing spaces.
 
@@ -76,8 +78,31 @@ For more information on search filter escaping visit [RFC4515](https://datatrack
 
 #### Safe Java Escaping Example
 
-- [Prevent LDAP injection](https://wiki.sei.cmu.edu/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=88487534).
-- [Legacy OWASP ESAPI for Java DefaultEncoder which includes encodeForLDAP(String) and encodeForDN(String)](https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java).
+The following solution uses a whitelist to sanitize user input so that the filter string contains only valid characters. In this code, userSN may contain
+only letters and spaces, whereas a password may contain only alphanumeric characters:
+
+```java
+// String userSN = "Sherlock Holmes"; // Valid
+// String userPassword = "secret2"; // Valid
+// ... beginning of LDAPInjection.searchRecord()...
+sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
+String base = "dc=example,dc=com";
+
+if (!userSN.matches("[\\w\\s]*") || !userPassword.matches("[\\w]*")) {
+ throw new IllegalArgumentException("Invalid input");
+}
+
+String filter = "(&(sn = " + userSN + ")(userPassword=" + userPassword + "))";
+// ... remainder of LDAPInjection.searchRecord()... 
+```
+
+When a database field such as a password must include special characters, it is critical to ensure that the authentic data is stored in sanitized form in the
+database and also that any user input is normalized before the validation or comparison takes place. Using characters that have special meanings in JNDI
+and LDAP in the absence of a comprehensive normalization and whitelisting-based routine is discouraged. Special characters must be transformed to
+sanitized, safe values before they are added to the whitelist expression against which input will be validated. Likewise, normalization of user input should
+occur before the validation step (source: [Prevent LDAP injection](https://wiki.sei.cmu.edu/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=88487534)).
+
+For further information visit [OWASP ESAPI Java Encoder Project which includes encodeForLDAP(String) and encodeForDN(String)](https://owasp.org/www-project-java-encoder/).
 
 #### Safe C Sharp .NET TBA Example
 
@@ -91,28 +116,29 @@ For more information on search filter escaping visit [RFC4515](https://datatrack
 
 ### Defense Option 2: Use Frameworks that Automatically Protect from LDAP Injection
 
-Safe NET Example
+#### Safe .NET Example
 
-[LINQ to Active Directory](https://linqtoad.codeplex.com) provides automatic LDAP encoding when building LDAP queries.
+We recommend using [LINQ to LDAP](https://www.nuget.org/packages/LinqToLdap/) in DotNet. It provides automatic LDAP encoding when building LDAP queries.
+Contact the [Readme file](https://github.com/madhatter22/LinqToLdap/blob/master/README.md) in the project repository.
 
-### Defense Option 3: Additional Defenses
+## Additional Defenses
 
 Beyond adopting one of the two primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
 
 - **Least Privilege**
 - **Allow-List Input Validation**
 
-#### Least Privilege
+### Least Privilege
 
 To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
 
-#### Enabling Bind Authentication
+### Enabling Bind Authentication
 
 If LDAP protocol is configured with bind Authentication, attackers would not be able to perform LDAP injection attacks because of verification
 and authorization checks that are performed against valid credentials passed by the user.
 An attacker can still bypass bind authentication through an anonymous connection or by exploiting the use of unauthenticated bind: Anonymous Bind (LDAP) and Unauthenticated Bind (LDAP).
 
-#### Allow-List Input Validation
+### Allow-List Input Validation
 
 Input validation can be used to detect unauthorized input before it is passed to the LDAP query. For more information please see the [Input Validation Cheat Sheet](Input_Validation_Cheat_Sheet.md).