# Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90) The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query. **Stack:** JavaScript - Prevalence: High Frequently exploited - Impact: High 3 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If user input is incorporated into an LDAP query without proper sanitization, an attacker can inject LDAP commands that could read or modify sensitive directory information. ## Prevention Prevention strategies for LDAP Injection based on 1 Shoulder detection rules. ### JavaScript Escape LDAP special characters in user input before constructing LDAP queries ## Warning Signs - [HIGH] user input flowing to LDAP queries without escaping special characters ## Consequences - Read Application Data - Modify Application Data - Bypass Protection Mechanism ## Mitigations - Use parameterized LDAP queries where possible - Escape or encode all user input used in LDAP queries - Validate input against an allowlist of acceptable characters ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection ### Typescript (1 rules) - **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without escaping special characters. - Remediation: Escape LDAP special characters before including user input in queries. ```javascript const safe = input.replace(/[\\*()]/g, c => '\\' + c.charCodeAt(0).toString(16)); ldap.search(`cn=${safe},dc=example,dc=com`, opts); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-90/ldap-injection