如何解决这些错误:LDAP查询中使用的特殊元素的不正当中和('LDAP注入')(CWE ID90)(2个缺陷)输入验证不足(2个缺陷)? [英] How to resolve these errors: improper neutralization of special elements used in an LDAP query ('LDAP injection') (CWE ID90)(2 flaws)insufficient input validation(2 flaws) ?
问题描述
大家好,
我使用c#语言在.NET中开发了windows服务。在报告显示如下所示的一些错误后,我将.exe文件提供给veracode扫描。
FYI:我正在使用如下的LDAP查询:如何解决这些错误。这是一个Windows服务而不是Web应用程序。
string s1 =xyz
mySearcher.Filter =(&(objectCategory = person) )(objectClass = user)(!userAccountControl:1.2.840.113556.1.4.803:= 2)(sAMAccountName =+ s1 +));
SearchResult sresult = mySearcher.FindOne(); < br $>
=>输入验证不足(2个缺陷)
描述:
此类别中的弱点与缺少或不正确的保护机制无关,无法正确验证可能影响程序的控制流或数据流的输入
。 br />
建议:
在使用之前验证来自不受信任来源的输入。不受信任的数据源可能包括HTTP请求,文件系统,数据库以及向应用程序提供数据的任何外部系统。对于HTTP请求,验证请求的所有部分
,包括用于从
浏览器传输信息的标题,表单字段,cookie和URL组件到服务器端应用程序。
在服务器端复制任何客户端检查。这在时间和难度方面应该很容易实现,并且将大大降低在应用程序中使用不安全参数值的可能性。
=> LDAP查询中使用的特殊元素的不正确中和('LDAP注入')(CWE ID
90)(2个缺陷)
描述
该软件没有充分清理LDAP查询或响应中使用的特殊元素,允许攻击者修改语法,内容或命令在执行之前的LDAP查询。
努力修复:3 - 复杂的实现错误。修复是约。 51-500行代码。最多5天需要修复。
建议
使用集中数据验证程序验证所有不受信任的输入,以确保它符合预期的格式
尽可能。使用黑名单时,请确保清理程序执行足够数量的迭代,以便
删除所有不允许的字符实例。
< b>我尝试了什么:
mySearcher.Filter =(&(objectCategory = person)(objectClass = user)(!userAccountControl:1.2 .840.113556.1.4.803:= 2)(sAMAccountName =+ Encoder.LdapFilterEncode(Encoder.HtmlEncode(s1))+));
Hi folks,
I devloped windows service in .NET using c# language. I given my .exe file to veracode scan after that report shows some errors like like below.
FYI: i am using LDAP query like below: How to resolve these errors. it's a windows service not web application.
string s1 ="xyz"
mySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=" +s1+ "))";
SearchResult sresult = mySearcher.FindOne();
=>Insufficient Input Validation(2 flaws)
Description:
Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input
that can affect the control flow or data flow of a program.
Recommendations:
Validate input from untrusted sources before it is used. The untrusted data sources may include HTTP requests, file systems,
databases, and any external systems that provide data to the application. In the case of HTTP requests, validate all parts of
the request, including headers, form fields, cookies, and URL components that are used to transfer information from the
browser to the server side application.
Duplicate any client-side checks on the server side. This should be simple to implement in terms of time and difficulty, and will
greatly reduce the likelihood of insecure parameter values being used in the application.
=>Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
90)(2 flaws)
Description
The software does not sufficiently sanitize special elements that are used in LDAP queries or responses, allowing
attackers to modify the syntax, contents, or commands of the LDAP query before it is executed.
Effort to Fix: 3 - Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.
What I have tried:
mySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=" + Encoder.LdapFilterEncode(Encoder.HtmlEncode(s1)) + "))";
推荐答案
Inspect结果Encoder.HtmlEncode(s1),然后检查Encoder.LdapFilterEncode(Encoder.HtmlEncode(s1))的结果。由于编码,您可能无意中将特殊字符注入到字符串中。
它可能还会看到&符号字符串开头附近的符号作为特殊字符。
Inspect the results ofEncoder.HtmlEncode(s1), and then inspect the results ofEncoder.LdapFilterEncode(Encoder.HtmlEncode(s1)). You may be inadvertently injecting special characters into the string as a result of the encoding.
It might also see the&symbol near the beginning of your string as a special character.
这篇关于如何解决这些错误:LDAP查询中使用的特殊元素的不正当中和('LDAP注入')(CWE ID90)(2个缺陷)输入验证不足(2个缺陷)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
