A .NET library that provides protections against LDAP Injection.
Most of the of the code was extracted from Microsoft's AntiXss library LDAP Encoder, which is no longer maintained.
The latest AntiLdapInjection package is available for installation on NuGet.
dotnet add package AntiLdapInjectionInstall-Package AntiLdapInjectionSee NuGet page for additional installation options.
FilterEncode encodes input according to RFC 4515,
where unsafe values are converted to \XX (XX is the representation of the
unsafe character).
LdapEncoder.FilterEncode(string filterToEncode)| Character | Encoded |
|---|---|
( |
\28 |
) |
\29 |
\ |
\5c |
* |
\2a |
/ |
\2f |
NUL |
\0 |
string filter = "Parens R Us (for all your parenthetical needs)";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Parens R Us \28for all your parenthetical needs\29"string filter = "*";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "\2A"string filter = @"C:\MyFile";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "C:\5CMyFile"string filter = "Lučić";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Lu\C4\8Di\C4\87"DistinguishedNameEncode encodes input according to RFC 2253,
where unsafe characters are converted to #XX where XX is the representation
of the unsafe character and the comma, plus, quote, slash, less than and great
than signs are escaped using slash notation (\X). In addition to this, a space
or octothorpe (#) at the beginning of the input string is escaped (\), as is
a space at the end of a string.
LdapEncoder.DistinguishedNameEncode(string distinguishedNameToEncode)You have the option to turn off initial or final character escaping rules. For example, if you are concatenating a escaped distinguished name fragment into the midst of a complete distinguished name.
LdapEncoder.DistinguishedNameEncode(
string distinguishedNameToEncode,
bool useInitialCharacterRules,
bool useFinalCharacterRule
)| Character | Encoded |
|---|---|
& |
\& |
! |
\! |
| |
\| |
= |
\= |
< |
\< |
> |
\> |
, |
\, |
+ |
\+ |
- |
\- |
" |
\" |
' |
\' |
; |
\; |
string dn = @", + \ "" \ < >";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\, \+ \" \\ \< \>"string dn = " Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\ Hello"string dn = "Hello ";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Hello\ "string dn = "#Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\#Hello"string dn = "Lučić";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Lu#C4#8Di#C4#87"- OWASP: LDAP Injection Prevention Cheat Sheet
- OWASP: Testing for LDAP Injection
- Microsoft TechNet: Active Directory Characters to Escape
- Web Application Security Consortium: LDAP Injection
- Black Hat: PDF Whitepaper on LDAP Injection and Blind LDAP Injection
- RFC-1960: A String Representation of LDAP Search Filters
- IBM Redbooks: Understanding LDAP - Design and Implementation
- CWE: Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)
Similar libraries providing protections against LDAP injection, not necessarily in .NET.
ldap-escape is an npm package that provides template literal tag functions for LDAP filters and distinguished names to prevent LDAP injection attacks.