A recent scan of a .net
web application detected an ldap injection vulnerability for a field that was used for a username assigned to an instance of a custom class named User.
After stepping through the code, I found that the User instance was given the System.Security.Principal.WindowsPrincipal
instance, and did in fact send an authentication request for the supplied username to the hosting computer's IIS server, appearing as a logon event in the Security logs.
I haven't yet been able to consistently get a response for the injection for both positive and negative ldap query results, but it seems very possible, and I'm working to get another scan with the same results, having some trouble, but haven't reached a wall yet.
Validating against a whitelist will prevent the classObject
string from being injected, but I think using the User string in .net
shouldn't be done for this reason, however I'm also wondering about the System.Security.Principal.WindowsPrincipal
namespace being an ldap injection vulnerability itself.
Are there anyways to prevent this besides whitelist validation, but still allow for using System namespace to exist in a .cs file. Or should the User classes intended to be custom, be changed to another string?