HIGH ldap injectionfeathersjsapi keys

Ldap Injection in Feathersjs with Api Keys

Scan for ldap injection in feathersjs

Ldap Injection in Feathersjs with Api Keys — how this specific combination creates or exposes the vulnerability

Ldap Injection occurs when user-controlled input is concatenated into an LDAP query without sanitization or parameterization, allowing attackers to manipulate the query structure. In FeathersJS, if an API route is configured to use API keys for client identification but the server-side service implementation builds LDAP filters by string concatenation, the API key value (or a field derived from it) may become part of the LDAP filter.

Consider a Feathers service that authenticates requests by validating an API key against an LDAP directory. If the implementation performs unsanitized string interpolation to build the search filter, an attacker-supplied API key can introduce LDAP metacharacters such as (, ), *, &, |, or !. For example, an API key like abc)(uid=admin) could cause the LDAP filter to become malformed, potentially bypassing intended access controls or exposing other directory entries.

FeathersJS services typically define a class with a find method that receives a params object. If the API key from params.query or from a hook is directly embedded into an LDAP filter string, the unauthenticated attack surface includes the query parameters and headers. This means an attacker can probe the endpoint without credentials, using crafted API keys to test for injection behavior. Because middleBrick scans the unauthenticated attack surface, such unsafe patterns can be detected through input validation and unsafe consumption checks.

In a typical vulnerable pattern, the service might construct a filter like (&(apikey=${userInput})(objectClass=person)). Special characters in userInput can break the filter syntax, leading to unintended subtree searches or errors that reveal information about the directory. This maps to OWASP API Top 10 categories such as Broken Object Level Authorization and Injection, and may intersect with compliance frameworks like PCI-DSS and SOC2 when directory services store sensitive identity data.

middleBrick’s LLM/AI Security checks do not apply here, but its input validation and authentication checks are designed to flag unsafe string usage and missing validation for API key formats. By scanning endpoints that rely on API keys for access control, middleBrick can surface these injection risks before they are exploited in production.

Api Keys-Specific Remediation in Feathersjs — concrete code fixes

Remediation focuses on avoiding string concatenation when building LDAP filters and validating API key formats. Use parameterized LDAP queries or an abstraction that escapes special characters. In FeathersJS, implement hook logic that validates and sanitizes API keys before they are used in directory queries.

Example of a vulnerable Feathers service using API keys unsafely:

// vulnerable example
class UserService {
  async find(params) {
    const apiKey = params.query.apiKey;
    const filter = `(&(apikey=${apiKey})(objectClass=person))`;
    const results = await ldap.search({ filter });
    return results;
  }
}

Secure version with input validation and safer filter construction:

// secure example
const escapeLdapFilter = (value) => {
  if (typeof value !== 'string') return '';
  // Escape special LDAP filter characters: * ( ) \ null char
  return value.replace(/[\\*()\x00]/g, (char) => {
    return '\\' + char.charCodeAt(0).toString(16).padStart(2, '0');
  });
};

class UserService {
  async find(params) {
    const providedKey = params.query.apiKey;
    // Validate API key format before use
    if (!/^[a-zA-Z0-9\-_]{8,32}$/.test(providedKey)) {
      throw new Error('Invalid API key format');
    }
    const safeKey = escapeLdapFilter(providedKey);
    const filter = `(&(apikey=${safeKey})(objectClass=person))`;
    const results = await ldap.search({ filter });
    return results;
  }
}

Additionally, prefer using an LDAP library that supports parameterized filters or binds with identity verification rather than constructing filters from raw input. Enforce strict API key formats via schema validation in the FeathersJS query middleware:

// featherjs hook for validation
const validateApiKey = (hook) => {
  const apiKey = hook.params.query.apiKey;
  if (apiKey && !/^[a-zA-Z0-9\-_]+$/.test(apiKey)) {
    throw new Error('Invalid characters in API key');
  }
  return hook;
};

module.exports = {
  before: {
    all: [validateApiKey]
  }
};

These changes ensure API keys are treated as opaque identifiers rather than raw LDAP filter components, mitigating injection risks while preserving integration functionality.

Scan for ldap injection in feathersjs Free API security scan

Frequently Asked Questions

Can middleBrick detect Ldap Injection in Feathersjs API endpoints that use API keys?
Yes. middleBrick tests unauthenticated attack surfaces and flags unsafe input usage in authentication and validation checks, including LDAP filter construction patterns.
Does middleBrick provide fixes for Ldap Injection findings?
middleBrick provides findings with remediation guidance, but it does not automatically fix code. Developers should apply input validation and safe LDAP query practices based on the reported guidance.

Related Pages

Ldap Injection in FeathersjsLDAP injection vulnerabilities in Feathersjs applications can bypass authentication and authorization. Learn Feathersjs-Ldap Injection with Api KeysLearn how LDAP injection vulnerabilities in API keys can lead to authentication bypass and data exposure, with specific Ldap Injection in Feathersjs on GcpUnderstand LDAP Injection in FeathersJS on GCP, with secure coding examples and GCP-specific remediation guidance.Ldap Injection in Feathersjs on KubernetesUnderstanding LDAP Injection in FeathersJS on Kubernetes, with specific remediation patterns and Kubernetes network poliLdap Injection in Feathersjs on NetlifyLdap Injection in Feathersjs with Netlify: causes, secure coding examples for Netlify Functions, and remediation guidancLdap Injection in Feathersjs on CloudflareExplains LDAP Injection in Feathersjs with Cloudflare, detailing how the combo exposes risk and how to remediate with coOwasp Api Top 10: Ldap Injection in FeathersjsExplore LDAP Injection within OWASP API Top 10 as it applies to FeathersJS APIs, with secure coding examples and remediaHipaa: Ldap Injection in FeathersjsExplore HIPAA risks in LDAP Injection with FeathersJS, understand the exposure of PHI, and apply concrete code fixes forGdpr: Ldap Injection in FeathersjsExplore LDAP Injection risks in Feathersjs under GDPR, with concrete remediation examples and secure hook implementationNist: Ldap Injection in FeathersjsExplore LDAP Injection with Feathersjs through NIST controls. Learn how this combo exposes risks and apply Feathersjs-spLdap Injection in Feathersjs with DynamodbExplore LDAP Injection risks when FeathersJS uses DynamoDB, with concrete validation and safe bind code examples.Ldap Injection in Feathersjs with CockroachdbUnderstand LDAP injection in Feathersjs with Cockroachdb and apply concrete remediation with code examples and validatio