Java Anonymous Ldap Bind Allowed
Description
Detects LDAP configurations that allow anonymous binds in Java applications. Anonymous LDAP binds are a security risk as they allow unauthenticated access to LDAP services, potentially exposing sensitive directory information to unauthorized users.
Detection Strategy
• Identifies creation of LDAP contexts using InitialDirContext class
• Examines the LDAP connection properties passed to InitialDirContext constructor
• Reports a vulnerability if authentication credentials are not properly configured or if anonymous binds are explicitly allowed
• Checks specifically for missing or null values for authentication parameters in the LDAP environment settings
Vulnerable code example
import javax.naming.Context;
import javax.naming.InitialDirContext;
import javax.naming.directory.DirContext;
import java.util.Properties;
public void unsafeLdapAuth() {
Properties env = new Properties();
env.put(Context.SECURITY_AUTHENTICATION, "none"); // Vulnerable: Using 'none' authentication allows anonymous LDAP bind...✅ Secure code example
import javax.naming.Context;
import javax.naming.InitialDirContext;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import java.util.Properties;
public void safeLdapAuth(String username, String password) throws NamingException {
Properties env = new Properties();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.