# Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90) The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query. **Stack:** JavaScript - Prevalence: Wysoka Często wykorzystywana - Impact: Wysoki 3 reguł o wysokim poziomie - Prevention: Udokumentowane 3 przykładów poprawek **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If user input is incorporated into an LDAP query without proper sanitization, an attacker can inject LDAP commands that could read or modify sensitive directory information. ## Prevention Strategie zapobiegania dla LDAP Injection oparte na 1 regułach detekcji Shoulder. ### JavaScript Escape LDAP special characters in user input before constructing LDAP queries ## Warning Signs - [HIGH] user input flowing to LDAP queries without escaping special characters ## Consequences - Odczyt danych aplikacji - Modyfikacja danych aplikacji - Obejście mechanizmu ochrony ## Mitigations - Tam, gdzie to możliwe, stosuj sparametryzowane zapytania LDAP - Eskapuj lub koduj wszystkie dane wprowadzane przez użytkownika używane w zapytaniach LDAP - Waliduj wejście wobec listy dozwolonych znaków ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection ### Typescript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection