HIGH ldap injectionfeathersjs

Ldap Injection in Feathersjs

Scan for ldap injection in feathersjs

How Ldap Injection Manifests in Feathersjs

LDAP injection in Feathersjs applications typically occurs when user-supplied data flows directly into LDAP queries without proper sanitization. Feathersjs applications often integrate with authentication providers, directory services, or enterprise systems that use LDAP, creating multiple injection vectors.

The most common scenario involves LDAP-based authentication where username or password parameters are concatenated into LDAP filters. Consider a Feathersjs authentication hook that constructs an LDAP query:

const { username, password } = hook.data;
const filter = `(uid=${username})`;
const result = await ldapjsClient.search(baseDN, { filter });

An attacker could submit username=admin)(objectClass=* as input, which would modify the LDAP filter to:

(uid=admin)(objectClass=*)

This bypasses authentication by matching any admin user regardless of password. The vulnerability stems from direct string interpolation without escaping special LDAP characters.

Another Feathersjs-specific manifestation occurs in service hooks that query LDAP directories for authorization decisions. Many enterprise Feathersjs applications use LDAP for role-based access control:

async function checkAuthorization(hook) {
  const { userId } = hook.params;
  const filter = `(employeeID=${userId})`;
  const results = await ldapClient.search('ou=users,dc=example,dc=com', { filter });
  
  if (results.length === 0) {
    throw new Error('Unauthorized');
  }
}

Here, a userId value like 1234)(memberOf=cn=admins could grant administrative privileges by modifying the LDAP filter to include membership in the admin group.

Feathersjs's flexible service architecture means LDAP injection can appear in various contexts: custom authentication strategies, authorization hooks, data population hooks, and even in service methods that proxy LDAP queries. The framework's convention-over-configuration approach sometimes leads developers to write quick LDAP integrations without considering injection risks.

Third-party Feathersjs plugins that integrate with LDAP directories can also introduce injection vulnerabilities. For example, a user management plugin might construct LDAP queries from REST parameters without proper validation, creating attack surfaces through the plugin's API endpoints.

The impact extends beyond authentication bypass. LDAP injection can enable information disclosure through crafted queries that return directory information the attacker shouldn't access, or even data manipulation if the LDAP server allows certain modification operations through crafted queries.

Feathersjs-Specific Detection

Detecting LDAP injection in Feathersjs applications requires examining both code patterns and runtime behavior. Static analysis should focus on service hooks and authentication strategies where LDAP queries are constructed.

Code patterns to identify include:

const filter = `(uid=${userInput})`;
const search = ldapClient.search(baseDN, { filter });

Look for direct string interpolation of user-controlled variables into LDAP filter strings. The presence of parentheses, asterisks, or other special LDAP characters in user input that gets concatenated into filters is a red flag.

middleBrick's scanner specifically tests for LDAP injection by sending payloads containing special LDAP characters to API endpoints and analyzing responses. For Feathersjs applications, it examines:

  • Authentication endpoints that might construct LDAP filters
  • Service methods that query directory services
  • Custom hooks that perform LDAP operations
  • Plugin endpoints that might proxy LDAP queries

The scanner sends payloads like )(objectClass=*, )(&, and various character combinations to test if LDAP filters can be manipulated. It then analyzes whether responses indicate successful injection by checking for unexpected data or authentication bypass.

Runtime detection involves monitoring LDAP query patterns. If your Feathersjs application logs LDAP queries, look for:

  • Queries with unexpected parentheses or operators
  • Filters that don't match the expected structure
  • Authentication successes with suspicious input patterns

middleBrick's continuous monitoring (Pro plan) can automatically scan your Feathersjs APIs on a schedule, catching LDAP injection vulnerabilities before they're exploited in production. The scanner provides specific findings with the exact payload that triggered the vulnerability and the affected code path.

For development teams, integrating middleBrick's GitHub Action into your CI/CD pipeline ensures LDAP injection vulnerabilities are caught before deployment. The action can fail builds if security scores drop below your threshold, preventing vulnerable code from reaching production.

middleBrick's OpenAPI analysis also helps by examining your Feathersjs service definitions to identify endpoints that might be vulnerable to LDAP injection based on their parameter names and data types, then correlating this with runtime scanning results.

Feathersjs-Specific Remediation

Remediating LDAP injection in Feathersjs applications requires proper input sanitization and safe query construction patterns. The most reliable approach is using parameterized LDAP queries or escaping special characters.

Feathersjs applications can use the ldapjs library's built-in escaping functions:

const ldap = require('ldapjs');

async function safeLdapSearch(username) {
  const escapedUsername = ldap.filter.escape(username);
  const filter = `(uid=${escapedUsername})`;
  return await ldapClient.search(baseDN, { filter });
}

This escapes special LDAP characters like (, ), *, , and , preventing filter manipulation.

For Feathersjs authentication hooks, create a reusable safe LDAP query function:

const { hooks } = require('@feathersjs/hooks');
const ldap = require('ldapjs');

async function ldapAuthHook(context) {
  const { username, password } = context.data;
  
  if (!username || !password) {
    throw new Error('Missing credentials');
  }
  
  const escapedUsername = ldap.filter.escape(username);
  const filter = `(uid=${escapedUsername})`;
  
  try {
    const results = await ldapClient.search(baseDN, { filter, scope: 'sub' });
    const entries = await new Promise(resolve => {
      const items = [];
      results.on('searchEntry', entry => items.push(entry.object));
      results.on('error', err => resolve(null));
      results.on('end', () => resolve(items));
    });
    
    if (entries.length === 0) {
      throw new Error('Invalid credentials');
    }
    
    const user = entries[0];
    const bound = await ldapClient.bind(user.dn, password);
    
    if (!bound) {
      throw new Error('Authentication failed');
    }
    
    context.result = { 
      ...user,
      accessToken: generateToken(user)
    };
    
  } catch (error) {
    throw new Error('Authentication failed');
  }
}

module.exports = hooks(ldapAuthHook);

For authorization checks, use similar escaping patterns:

async function checkLdapAuthorization(userId, requiredGroup) {
  const escapedUserId = ldap.filter.escape(userId);
  const escapedGroup = ldap.filter.escape(requiredGroup);
  
  const userFilter = `(employeeID=${escapedUserId})`;
  const groupFilter = `(memberOf=${escapedGroup})`;
  
  const userPromise = ldapClient.search('ou=users,dc=example,dc=com', { filter: userFilter });
  const groupPromise = ldapClient.search('ou=groups,dc=example,dc=com', { filter: groupFilter });
  
  const [users, groups] = await Promise.all([userPromise, groupPromise]);
  
  return users.length > 0 && groups.length > 0;
}

Feathersjs service methods can incorporate these safe patterns:

class LdapService {
  async find(params) {
    const { ldapFilter } = params.query;
    if (!ldapFilter) return [];
    
    const safeFilter = ldap.filter.escape(ldapFilter);
    const results = await ldapClient.search(baseDN, { filter: safeFilter });
    
    return new Promise(resolve => {
      const items = [];
      results.on('searchEntry', entry => items.push(entry.object));
      results.on('end', () => resolve(items));
    });
  }
}

module.exports = app => app.use('/ldap', new LdapService());

For maximum security, implement input validation that restricts allowed characters in LDAP query parameters. Only permit alphanumeric characters and a limited set of safe symbols:

function validateLdapInput(input) {
  const pattern = /^[a-zA-Z0-9._@-]+$/;
  return pattern.test(input);
}

// Usage in hooks
if (!validateLdapInput(username)) {
  throw new Error('Invalid input');
}

middleBrick's scanner can verify these remediations by testing the same injection payloads against your patched Feathersjs application, ensuring the vulnerabilities are properly fixed. The scanner provides detailed reports showing which injection attempts were successfully blocked.

Scan for ldap injection in feathersjs Free API security scan

Frequently Asked Questions

How can I test my Feathersjs application for LDAP injection vulnerabilities?
Use middleBrick's self-service scanner by submitting your API URL. It tests for LDAP injection by sending special character payloads to authentication and query endpoints, then analyzes responses for signs of successful injection. The scanner provides specific findings with the exact payload that triggered vulnerabilities and maps results to OWASP API Top 10 categories.
Does middleBrick require access to my LDAP server to scan for injection vulnerabilities?
No. middleBrick performs black-box scanning of your API endpoints without requiring credentials or access to backend systems. It tests the unauthenticated attack surface by sending crafted requests to your Feathersjs application's exposed endpoints and analyzing the responses for injection indicators.

Related Pages

Ldap Injection in Feathersjs on GcpUnderstand LDAP Injection in FeathersJS on GCP, with secure coding examples and GCP-specific remediation guidance.Ldap Injection in Feathersjs on KubernetesUnderstanding LDAP Injection in FeathersJS on Kubernetes, with specific remediation patterns and Kubernetes network poliLdap Injection in Feathersjs on NetlifyLdap Injection in Feathersjs with Netlify: causes, secure coding examples for Netlify Functions, and remediation guidancLdap Injection in Feathersjs on CloudflareExplains LDAP Injection in Feathersjs with Cloudflare, detailing how the combo exposes risk and how to remediate with coOwasp Api Top 10: Ldap Injection in FeathersjsExplore LDAP Injection within OWASP API Top 10 as it applies to FeathersJS APIs, with secure coding examples and remediaHipaa: Ldap Injection in FeathersjsExplore HIPAA risks in LDAP Injection with FeathersJS, understand the exposure of PHI, and apply concrete code fixes forGdpr: Ldap Injection in FeathersjsExplore LDAP Injection risks in Feathersjs under GDPR, with concrete remediation examples and secure hook implementationNist: Ldap Injection in FeathersjsExplore LDAP Injection with Feathersjs through NIST controls. Learn how this combo exposes risks and apply Feathersjs-spLdap Injection in Feathersjs with Jwt TokensLDAP Injection risks in FeathersJS with JWT Tokens, differences between authentication and query safety, and concrete coLdap Injection in Feathersjs with Api KeysExplore Ldap Injection in Feathersjs with API keys: understand the risk and apply code-level fixes for safer authenticatLdap Injection in Feathersjs with Hmac SignaturesExplore LDAP Injection risks in FeathersJS with Hmac Signatures, understand the combined threat model, and apply concretLdap Injection in Feathersjs with Basic AuthUnderstand LDAP Injection in FeathersJS with Basic Auth and apply concrete Basic Auth fixes in FeathersJS with code exam