...
| Code Block |
|---|
String principal = "cn=" + getParameter("username") + ", ou=Users, o=example";
String password = getParameter("password");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, password);
// Create the initial context
DirContext ctx = new InitialDirContext(env);Instead, implement code for LDAP as follows:// if the username contains LDAP specials, stop now
if ( containsLDAPspecials(getParameter("username")) ) {
throw new javax.naming.AuthenticationException();
}
String principal = "cn=" + getParameter("username") + ", ou=Users, o=example";
String password = getParameter("password");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, password);
// Create the initial context
DirContext ctx = new InitialDirContext(env);
|
Prevention:
References:
SANS Secure Coding in Java/JEE – Developing Defensive Applications
...
https://www.owasp.org/index.php/Interpreter_Injection
Videos:
Basic SQL Injection:
http://www.youtube.com/watch?v=pypTYPaU7mM
https://www.youtube.com/watch?v=02mLrFVzIYU&list=PLoyY7ZjHtUUVLs2fy-ctzZDSPpawuQ28d
Advanced SQL by Joe McCray: