You must Sign In to post a response.
  • Category: .NET

    Preventing LDAP injection vulnerabilities in my code .NET

    I have implemented LDAP authonication in project ,now i want Preventing LDAP injection vulnerabilities in my code .NET
    i have below code
    Private Sub Initialize(ByVal id As String, ByVal password As String, ByVal searchVal As String)
    searcher.Filter = "(&(objectClass=user)(samaccountname=" + searchVal + "))"

    searcher.ReferralChasing = ReferralChasingOption.All

    now i want whitelist this code when i run ,HP fifty , it is showing crictcal error , how do i fix this issue ,can any help me out

    Thanks
    praveen
  • #769117
    You just remain open for injection vulnerabilities if you allow full context searches. Try something like this code snippet(still a very restrictive set):

    ' removes all characters not in A-Z, a-z, 0-9 or underscore, at-sign and dot '
    Dim cleanSarchVal As String = Regex.Replace(searchVal, "[^a-zA-Z0-9_@.,=]", "")

    searcher.Filter = "(&(objectClass=user)(samaccountname=" + cleanSearchVal + "))"


Sign In to post your comments