# Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90) The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query. **Stack:** JavaScript - Prevalence: Hoch Häufig ausgenutzt - Impact: Hoch 3 Regeln mit hohem Schweregrad - Prevention: Dokumentiert 3 Fix-Beispiele **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If user input is incorporated into an LDAP query without proper sanitization, an attacker can inject LDAP commands that could read or modify sensitive directory information. ## Prevention Präventionsstrategien für LDAP Injection basierend auf 1 Shoulder-Erkennungsregeln. ### JavaScript Escape LDAP special characters in user input before constructing LDAP queries ## Warning Signs - [HIGH] user input flowing to LDAP queries without escaping special characters ## Consequences - Anwendungsdaten lesen - Anwendungsdaten ändern - Schutzmechanismus umgehen ## Mitigations - Verwende, wann immer möglich, parametrisierte LDAP-Abfragen - Maskiere oder encodiere alle Benutzereingaben in LDAP-Abfragen - Validiere Eingaben gegen eine Allowlist akzeptabler Zeichen ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection ### Typescript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection