Ldap Injection in Express with Bearer Tokens

Ldap Injection occurs when an attacker can manipulate LDAP query construction, typically by injecting special characters such as asterisk (*), parentheses, ampersand, or backslash into inputs used to build LDAP filters. In an Express API that uses bearer tokens for authentication but then builds LDAP queries with unchecked user input, the bearer token secures entry to the endpoint while the application logic remains vulnerable to injection within the directory lookup.

Consider an endpoint that first validates a bearer token to identify who is making the request, then uses a username extracted from the token or from request parameters to search an LDAP directory. If the username is concatenated directly into an LDAP filter without escaping, an attacker can provide a crafted value like (uid=*))(|(objectClass=*) to alter the filter logic. This can bypass intended access controls or cause the server to return an excessive number of entries, leading to data exposure or unauthorized information disclosure. The combination of bearer token authentication and vulnerable LDAP query construction creates a scenario where authentication is not sufficient to prevent injection-based abuse.

For example, an endpoint might extract a username from a decoded JWT and use it as follows:

const ldap = require('ldapjs');
const client = ldap.createClient({ url: 'ldap://dc.example.com' });

app.get('/api/users/:username', (req, res) => {
  const username = req.params.username;
  const filter = `(uid=${username})`;
  client.search('dc=example,dc=com', { filter }, (err, result) => {
    if (err) { return res.status(500).send('LDAP error'); }
    const entries = [];
    result.on('searchEntry', (entry) => entries.push(entry.object));
    result.on('end', () => res.json(entries));
  });
});

In this pattern, the bearer token may be used elsewhere for session or scope validation, but the username used in the LDAP filter is directly interpolated. An attacker who controls the username can manipulate the filter structure, potentially retrieving other users’ entries or causing the server to perform expensive searches, which relates to BOLA/IDOR and Data Exposure checks in middleBrick’s scan. The vulnerability is specific to how input is handled after authentication, not to the presence of the token itself.

Additionally, if the API exposes an unauthenticated LDAP endpoint or allows bearer token–based calls to reach directory-searching code without strict input validation, middleBrick’s LLM/AI Security and BFLA/Privilege Escalation checks can surface risky patterns. Real-world LDAP injection techniques often map to OWASP API Top 10’s Broken Object Level Authorization and can intersect with sensitive data exposure if directory contents are returned unintentionally.

To remediate Ldap Injection in Express when using bearer tokens, ensure that any user-influenced data used in LDAP filters is properly escaped. Do not rely on bearer token validation alone to prevent injection; treat all inputs used in directory queries as untrusted.

Use an LDAP escape function to sanitize filter components. For example, with the library, construct filters safely by escaping the username:

const ldap = require('ldapjs');
const client = ldap.createClient({ url: 'ldap://dc.example.com' });

function escapeLDAPFilter(str) {
  if (!str) return '';
  return str.replace(/[\\*()\u0000\x00\x28\x29\x002a\x0028\x0029]/g, (char) => {
    return '\\' + char.charCodeAt(0).toString(16).padStart(2, '0');
  });
}

app.get('/api/users/:username', (req, res) => {
  const username = escapeLDAPFilter(req.params.username);
  const filter = `(uid=${username})`;
  client.search('dc=example,dc=com', { filter }, (err, result) => {
    if (err) { return res.status(500).send('LDAP error'); }
    const entries = [];
    result.on('searchEntry', (entry) => entries.push(entry.object));
    result.on('end', () => res.json(entries));
  });
});