Provides protections against LDAP Injection.
Get Started
$ dotnet add package AntiLdapInjectionReadme
Anti-LDAP Injection
A .NET library that provides protections against LDAP Injection, a type of attack that can manipulate LDAP queries to access unauthorized information or perform unauthorized actions.
[!NOTE]
Most of the code was extracted from Microsoft's AntiXss library LDAP Encoder, which is no longer maintained.
Installation
The latest AntiLdapInjection package is available for installation on NuGet.
Using dotnet CLI
dotnet add package AntiLdapInjection
Using NuGet Package Manager
Install-Package AntiLdapInjection
See NuGet page for additional installation options.
Usage
FilterEncode
FilterEncode encodes input according to RFC 4515, where unsafe values are converted to \XX (XX is the representation of the unsafe character).
LdapEncoder.FilterEncode(string filterToEncode)
FilterEncode encoding chart
| Character | Encoded |
|---|---|
( | \28 |
) | \29 |
\ | \5c |
* | \2a |
/ | \2f |
NUL | \0 |
FilterEncode examples
Opening and closing parenthesis
string filter = "Parens R Us (for all your parenthetical needs)";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Parens R Us \28for all your parenthetical needs\29"
Asterisk in search filter
string filter = "*";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "\2A"
Backslash in search filter
string filter = @"C:\MyFile";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "C:\5CMyFile"
Accents in search filter
string filter = "Lučić";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Lu\C4\8Di\C4\87"
DistinguishedNameEncode
DistinguishedNameEncode encodes input according to RFC 2253,
where unsafe characters are converted to #XX where XX is the representation
of the unsafe character and the comma, plus, quote, slash, less than and great
than signs are escaped using slash notation (\X). In addition to this, a space
or octothorpe (#) at the beginning of the input string is escaped (\), as is
a space at the end of a string.
LdapEncoder.DistinguishedNameEncode(string distinguishedNameToEncode)
You have the option to turn off initial or final character escaping rules. For example, if you are concatenating an escaped distinguished name fragment into the midst of a complete distinguished name.
LdapEncoder.DistinguishedNameEncode(
string distinguishedNameToEncode,
bool useInitialCharacterRules,
bool useFinalCharacterRule
)
DistinguishedNameEncode encoding chart
| Character | Encoded |
|---|---|
& | \& |
! | \! |
| | `\ |
= | \= |
< | \< |
> | \> |
, | \, |
+ | \+ |
- | \- |
" | \" |
' | \' |
; | \; |
DistinguishedNameEncode examples
Distinguished name slash notation
string dn = @", + \ "" \ < >";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\, \+ \" \\ \< \>"
Leading space in distinguished name
string dn = " Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\ Hello"
Trailing space in distinguished name
string dn = "Hello ";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Hello\ "
Octothorpe character in distinguished name
string dn = "#Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\#Hello"
Accents in distinguished name
string dn = "Lučić";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Lu#C4#8Di#C4#87"
LDAP injection resources
- OWASP: LDAP Injection Prevention Cheat Sheet
- OWASP: Testing for LDAP Injection
- Microsoft TechNet: Active Directory Characters to Escape
- Web Application Security Consortium: LDAP Injection
- Black Hat: PDF Whitepaper on LDAP Injection and Blind LDAP Injection
- RFC-1960: A String Representation of LDAP Search Filters
- IBM Redbooks: Understanding LDAP - Design and Implementation
- CWE: Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)
Similar libraries
Similar libraries providing protections against LDAP injection, not necessarily in .NET.
Node.js
ldap-escape
ldap-escape is an npm package that provides template literal tag functions for LDAP filters and distinguished names to prevent LDAP injection attacks.