Arp Spoofing in Actix with Bearer Tokens
Arp Spoofing in Actix with Bearer Tokens — how this specific combination creates or exposes the vulnerability
Arp Spoofing is a Layer 2 attack where an attacker sends falsified Address Resolution Protocol messages onto a local network to associate their MAC address with the IP address of a legitimate host, such as a gateway or another API server. In an Actix-based Rust API service that relies on Bearer Tokens for authorization, this combination creates a critical risk when token transmission occurs over a locally reachable network segment without additional protections.
When an Actix service validates Bearer Tokens primarily at the application layer (e.g., via middleware that checks an Authorization header), it assumes the transport path between client and server is trustworthy. Arp Spoofing breaks this assumption by enabling an attacker on the same local network to intercept or redirect traffic. The attacker can perform a man-in-the-middle (MITM) position to observe or modify unencrypted HTTP requests, capturing Bearer Tokens in transit. Even if the API itself uses HTTPS, an attacker might target an internal service that mistakenly accepts HTTP or has misconfigured TLS termination, allowing token theft via ARP manipulation within a trusted subnet.
In a microservice or containerized environment using Actix, services often communicate over local networks where ARP spoofing is feasible. If one service calls another using Bearer Tokens without additional transport hardening (like mTLS), an attacker who compromises a host on the same network can inject themselves into the communication path. This exposes token leakage, enables session hijacking, and can lead to privilege escalation if the stolen token carries elevated scopes. The vulnerability is not in Actix itself but in deployment topology and token handling practices that do not account for a compromised local network layer.
This risk is especially relevant when OpenAPI/Swagger specifications are used to document endpoints but do not explicitly enforce transport security requirements for Bearer Token flows. Without runtime enforcement of strict transport protections and network-level monitoring, ARP spoofing remains a practical attack vector against Actix services using bearer-based authentication.
Bearer Tokens-Specific Remediation in Actix — concrete code fixes
Remediation focuses on ensuring Bearer Tokens are never exposed to network-layer attacks like ARP spoofing. This requires enforcing strict transport security, minimizing token exposure in local networks, and validating token context at the application layer.
1. Enforce HTTPS with strong TLS configuration
Never accept HTTP for endpoints that validate Bearer Tokens. Use Rustls or native TLS with strong ciphers and redirect HTTP to HTTPS. Below is an example of configuring an Actix server with TLS:
use actix_web::{web, App, HttpServer, Responder};
use actix_web::http::header::HeaderValue;
async fn protected_route(headers: web::HeaderMap) -> impl Responder {
match headers.get("authorization") {
Some(auth_header) => {
if let Ok(auth_str) = auth_header.to_str() {
if auth_str.starts_with("Bearer ") {
// Perform token validation here
return "Authorized";
}
}
"Unauthorized";
}
None => "Unauthorized",
}
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.route("/api/secure", web::get().to(protected_route))
})
.bind_rustls(
"0.0.0.0:8443",
rustls::ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(
vec![rustls::Certificate(include_bytes("cert.pem").to_vec())],
rustls::PrivateKey(include_bytes("key.pem").to_vec()),
)
.unwrap(),
)?
.run()
.await;
}
2. Validate token origin and scope at the application layer
Do not rely solely on the presence of a Bearer Token. Validate issuer, audience, scopes, and session context to limit the impact of a leaked token. Here is an example using jsonwebtoken crate:
use actix_web::{web, HttpRequest, HttpResponse};
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation, TokenData};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
sub: String,
scope: String,
iss: String,
exp: usize,
}
fn validate_bearer(req: &HttpRequest) -> Result {
let auth = req.headers().get("authorization").ok_or_else(|| HttpResponse::Unauthorized().body("Missing authorization"))?;
let token = auth.to_str().map_err(|_| HttpResponse::Unauthorized().body("Invalid authorization format"))?;
if !token.starts_with("Bearer ") {
return Err(HttpResponse::Unauthorized().body("Invalid token type"));
}
let token = &token["Bearer ".len()..];
let validation = Validation::new(Algorithm::RS256);
let token_data: TokenData = decode(
token,
&DecodingKey::from_rsa_pem(include_bytes("public_key.pem")).map_err(|_| HttpResponse::Unauthorized().body("Invalid key"))?,
&validation,
).map_err(|_| HttpResponse::Unauthorized().body("Invalid token"))?;
// Additional checks: scope, issuer, expiration handled by validation
Ok(token_data.claims)
}
async fn scoped_route(req: HttpRequest) -> HttpResponse {
match validate_bearer(&req) {
Ok(claims) => {
if claims.scope.contains("api:read") {
"Access granted with scope validation"
} else {
HttpResponse::Forbidden().body("Insufficient scope")
}
}
Err(e) => e,
}
}
3. Use mTLS for service-to-service communication
For internal Actix service communication, enforce mutual TLS to prevent ARP spoofing from enabling unauthorized token relay. This ensures both endpoints authenticate each other before exchanging bearer-protected requests.
Additionally, rotate Bearer Tokens frequently, avoid logging them, and monitor for unusual token usage patterns. These measures reduce the window of opportunity for an attacker leveraging ARP spoofing in a compromised network segment.