CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

 
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Weakness ID: 90 (Weakness Base)Status: Draft
+ Description

Description Summary

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

Technology Classes

Database-Server

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Execute unauthorized code or commands; Read application data; Modify application data

+ Demonstrative Examples

Example 1

In the code excerpt below, user input data (address) isn't properly neutralized before it's used to construct an LDAP query.

(Bad Code)
Example Language: Java 
context = new InitialDirContext(env);
String searchFilter = "StreetAddress=" + address;
NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to neutralize LDAP syntax from user-controlled input.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class77Improper Neutralization of Special Elements used in a Command ('Command Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory810OWASP Top Ten 2010 Category A1 - Injection
Weaknesses in OWASP Top Ten (2010) (primary)809
+ Relationship Notes

Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist problems. Can be primary to authentication and verification errors.

+ Research Gaps

Under-reported. This is likely found very frequently by third party code auditors, but there are very few publicly reported examples.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERLDAP injection
OWASP Top Ten 2007A2CWE_More_SpecificInjection Flaws
WASC29LDAP Injection
+ References
SPI Dynamics. "Web Applications and LDAP Injection".
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes, Relationship_Notes
2010-02-16CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2010-06-21CWE Content TeamMITREInternal
updated Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11LDAP Injection
2009-05-27Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')
2010-06-21Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
Page Last Updated: September 12, 2011