This has been asked before but the answers are out-dated and I would like to know what the modern approach is.
I have some C# code to search Active Directory for an employee with employeeid id which is a string that maybe came from a web form or something and can't be fully trusted.
DirectorySearcher search = new DirectorySearcher(new DirectoryEntry());
search.Filter = "(&(objectClass=user)(employeeid=" + id + "))";
search.PropertiesToLoad.Add("mail");
search.PropertiesToLoad.Add("telephonenumber");
SearchResult sresult = search.FindOne();
as you can see, it would not be too hard to enter an id value that would do things I don't really intend it to do. OWASP considers this to be a serious vulnerability. What is the best modern approach to prevent this?
I would prefer not to have my own code like this that manually replaces specific characters, if there is an alternative library function that is being actively maintained.
Best solution I've seen anywhere is using the AntiXSS library:
string encoded = Microsoft.Security.Application.Encoder.LdapFilterEncode(id);
But it appears that this library is no longer being maintained:
AntiXSS is now End of Life In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder. As such the standalone versions of AntiXSS should be considered end of life. The source and installers will remain online allow people using earlier versions of .NET to enable an alternative, whitelist based encoded but no further enhancements, outside of security fixes, will be made.
Lots of answers point to LinqtoAD which sure sounds like a great approach, but unfortunately doesn't sound like it was ever production-ready:
Disclaimer This project is meant as a basic sample on implementing custom LINQ query providers. It hasn't been tested thoroughly and we do not provide any support whatsoever. Do not use it in a production environment without proper testing and validation of the technology's behavior. Users are most welcome to report issues and bugs through the Issue Tracker on this site.
What is the modern approach? Is there anything in the newer versions of .Net framework to mitigate LDAP injection?
