AntiLdapInjection 2.0.0
dotnet add package AntiLdapInjection --version 2.0.0
NuGet\Install-Package AntiLdapInjection -Version 2.0.0
<PackageReference Include="AntiLdapInjection" Version="2.0.0" />
paket add AntiLdapInjection --version 2.0.0
#r "nuget: AntiLdapInjection, 2.0.0"
// Install AntiLdapInjection as a Cake Addin #addin nuget:?package=AntiLdapInjection&version=2.0.0 // Install AntiLdapInjection as a Cake Tool #tool nuget:?package=AntiLdapInjection&version=2.0.0
Anti-LDAP Injection
A .NET library that provides protections against LDAP Injection, a type of attack that can manipulate LDAP queries to access unauthorized information or perform unauthorized actions.
[!NOTE]
Most of the code was extracted from Microsoft's AntiXss library LDAP Encoder, which is no longer maintained.
Installation
The latest AntiLdapInjection package is available for installation on NuGet.
Using dotnet CLI
dotnet add package AntiLdapInjection
Using NuGet Package Manager
Install-Package AntiLdapInjection
See NuGet page for additional installation options.
Usage
FilterEncode
FilterEncode
encodes input according to RFC 4515, where unsafe values are converted to \XX
(XX
is the representation of the unsafe character).
LdapEncoder.FilterEncode(string filterToEncode)
FilterEncode encoding chart
Character | Encoded |
---|---|
( |
\28 |
) |
\29 |
\ |
\5c |
* |
\2a |
/ |
\2f |
NUL |
\0 |
FilterEncode examples
Opening and closing parenthesis
string filter = "Parens R Us (for all your parenthetical needs)";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Parens R Us \28for all your parenthetical needs\29"
Asterisk in search filter
string filter = "*";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "\2A"
Backslash in search filter
string filter = @"C:\MyFile";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "C:\5CMyFile"
Accents in search filter
string filter = "Lučić";
string encoded = LdapEncoder.FilterEncode(filter);
Console.WriteLine(encoded); // "Lu\C4\8Di\C4\87"
DistinguishedNameEncode
DistinguishedNameEncode
encodes input according to RFC 2253,
where unsafe characters are converted to #XX
where XX
is the representation
of the unsafe character and the comma, plus, quote, slash, less than and great
than signs are escaped using slash notation (\X
). In addition to this, a space
or octothorpe (#
) at the beginning of the input string is escaped (\
), as is
a space at the end of a string.
LdapEncoder.DistinguishedNameEncode(string distinguishedNameToEncode)
You have the option to turn off initial or final character escaping rules. For example, if you are concatenating an escaped distinguished name fragment into the midst of a complete distinguished name.
LdapEncoder.DistinguishedNameEncode(
string distinguishedNameToEncode,
bool useInitialCharacterRules,
bool useFinalCharacterRule
)
DistinguishedNameEncode encoding chart
Character | Encoded |
---|---|
& |
\& |
! |
\! |
\| |
\\| |
= |
\= |
< |
\< |
> |
\> |
, |
\, |
+ |
\+ |
- |
\- |
" |
\" |
' |
\' |
; |
\; |
DistinguishedNameEncode examples
Distinguished name slash notation
string dn = @", + \ "" \ < >";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\, \+ \" \\ \< \>"
Leading space in distinguished name
string dn = " Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\ Hello"
Trailing space in distinguished name
string dn = "Hello ";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Hello\ "
Octothorpe character in distinguished name
string dn = "#Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "\#Hello"
Accents in distinguished name
string dn = "Lučić";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);
Console.WriteLine(encoded); // "Lu#C4#8Di#C4#87"
LDAP injection resources
- OWASP: LDAP Injection Prevention Cheat Sheet
- OWASP: Testing for LDAP Injection
- Microsoft TechNet: Active Directory Characters to Escape
- Web Application Security Consortium: LDAP Injection
- Black Hat: PDF Whitepaper on LDAP Injection and Blind LDAP Injection
- RFC-1960: A String Representation of LDAP Search Filters
- IBM Redbooks: Understanding LDAP - Design and Implementation
- CWE: Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)
Similar libraries
Similar libraries providing protections against LDAP injection, not necessarily in .NET.
Node.js
ldap-escape
ldap-escape is an npm package that provides template literal tag functions for LDAP filters and distinguished names to prevent LDAP injection attacks.
Other noteworthy .NET LDAP-related libraries
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 is compatible. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- No dependencies.
-
.NETStandard 2.1
- No dependencies.
NuGet packages (1)
Showing the top 1 NuGet packages that depend on AntiLdapInjection:
Package | Downloads |
---|---|
Quaero.Ldap
Package Description |
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
2.0.0 | 1,671 | 11/29/2024 |
1.1.4 | 75,299 | 5/20/2022 |
1.1.3 | 426 | 5/20/2022 |
1.1.2 | 475 | 5/18/2022 |
1.1.1 | 443 | 5/18/2022 |
1.1.0 | 422 | 1/6/2022 |
1.0.9 | 3,904 | 6/13/2021 |
1.0.8 | 394 | 2/26/2021 |
1.0.7 | 601 | 2/8/2021 |
1.0.6 | 396 | 2/5/2021 |
1.0.5 | 373 | 2/5/2021 |
1.0.4 | 385 | 2/5/2021 |
1.0.3 | 363 | 2/4/2021 |
1.0.2 | 357 | 2/3/2021 |
1.0.1 | 395 | 2/3/2021 |
1.0.0 | 387 | 2/3/2021 |
1.0.0-pre | 254 | 2/1/2021 |