none
How to resolve these errors: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID90)(2 flaws)Insufficient Input Validation(2 flaws) ? RRS feed

  • Question

  • Hi folks,

    I devloped one console Application in .NET using c# language. I given my .exe file to veracode scan after that report shows some errors like like below. This .exe is running on windows server dialy once. How attacks possible in .exe file in server? may i know the exact reason behind this error.

    FYI: i am using LDAP query like below: How to resolve these errors. it's a .exe ( Console Application) not web application.

    string s1 ="xyz"
    mySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=" +s1+ "))";
    SearchResult sresult = mySearcher.FindOne();



    =>Insufficient Input Validation(2 flaws)
    Description:
    Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input
    that can affect the control flow or data flow of a program.
    Recommendations:
    Validate input from untrusted sources before it is used. The untrusted data sources may include HTTP requests, file systems,
    databases, and any external systems that provide data to the application. In the case of HTTP requests, validate all parts of
    the request, including headers, form fields, cookies, and URL components that are used to transfer information from the
    browser to the server side application.
    Duplicate any client-side checks on the server side. This should be simple to implement in terms of time and difficulty, and will
    greatly reduce the likelihood of insecure parameter values being used in the application.


    =>Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
    90)(2 flaws)
    Description
    The software does not sufficiently sanitize special elements that are used in LDAP queries or responses, allowing
    attackers to modify the syntax, contents, or commands of the LDAP query before it is executed.
    Effort to Fix: 3 - Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
    Recommendations
    Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
    when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
    remove all instances of disallowed characters.
    Thursday, April 5, 2018 3:13 PM

All replies

  • Hello RamanaReddy,

    >>Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

    LDAP injection is most likely Sql injection. The same advanced exploitation techniques available in SQL injection can be similarly applied in LDAP Injection. For this you could try to adopt prevention action as Wikipedia provided.

    LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc. White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.

    And there is  a thread that is under the same situations as yours.

    Preventing LDAP injection

    Best Regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, April 6, 2018 8:03 AM
    Moderator