Arp Spoofing in Actix with Saml

Arp Spoofing is a Layer 2 network attack where an attacker sends falsified Address Resolution Protocol messages to associate their MAC address with the IP address of another host, typically the gateway. In an Actix web service that relies on SAML for identity and session handling, this attack does not exploit Actix or the SAML library directly, but it undermines the trust chain by intercepting or modifying traffic between the service and the identity provider (IdP) or backend resources. When SAML messages (requests and responses) are transmitted over the local network segment, an attacker who successfully conducts Arp Spoofing can observe or alter unencrypted HTTP SAML bindings or redirect traffic to a malicious endpoint that mimics the IdP.

The exposure is specific to the deployment topology: if the Actix application and the SAML IdP communicate over a shared broadcast domain without additional network controls, Arp Spoofing can facilitate man-in-the-middle (MITM) interception. This can lead to SAML request tampering, session fixation, or theft of SAML assertions if the traffic is not otherwise protected. Importantly, SAML security relies on message integrity and endpoint authenticity; network-layer interception does not break the SAML signature verification directly if the assertion is signed, but it can enable substitution attacks where the attacker forwards modified requests or responses to the Actix service. The risk is compounded if the service accepts SAML responses over non-loopback interfaces without strict transport validation.

Because middleBrick tests the unauthenticated attack surface and includes checks such as SSRF and unsafe consumption patterns, it can surface indicators that an API endpoint is reachable in a way that could be abused in conjunction with network-level attacks like Arp Spoofing in controlled test environments. Note that Arp Spoofing operates at the network layer; the API security scanner focuses on application behavior and does not attempt or validate network interception.

Remediation centers on ensuring SAML traffic is protected in transit and that the Actix service validates the origin and integrity of SAML messages. Use HTTPS for all SAML endpoints and bindings, enforce strict TLS configurations, and avoid serving SAML endpoints over unencrypted HTTP. When consuming SAML responses, validate signatures, audience (AudienceRestriction), issuer, and destination URL rigorously. The following examples show a minimal Actix service configured to require HTTPS and process signed SAML responses using the actix-identity and saml2 crates.

Enforce HTTPS and secure transport in Actix

Ensure your Actix server only listens on HTTPS and redirects HTTP to HTTPS. This prevents SAML messages from being exposed on the local network where Arp Spoofing could intercept them.

use actix_web::{web, App, HttpServer, middleware::Logger};
use actix_web_httpauth::middleware::HttpAuthentication;
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};

async fn index() -> &'static str {
    "API is reachable over HTTPS only"
}

#[actix_web::main]
async fn main() -> std::io::Result<()>) {
    let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
    builder.set_private_key_file("key.pem", SslFiletype::PEM).unwrap();
    builder.set_certificate_chain_file("cert.pem").unwrap();

    HttpServer::new(|| {
        App::new()
            .wrap(Logger::default())
            .route("/", web::get().to(index))
    })
    .bind_openssl(":8443", builder)?
    .run()
    .await
}

Validate SAML responses in Actix handlers

When your Actix endpoint receives a SAML response (e.g., via a POST binding), validate the signature and key conditions before establishing any server-side session. Below is an example that parses and verifies a SAML response using the saml2 crate, checking issuer, destination, and audience.

use saml2::config::{Config, MetadataProvider};
use saml2::assertion::Assertion;
use saml2::protocol::Response;
use saml2::validate::{ResponseValidator, ValidationError};
use actix_web::{post, web, HttpResponse};

#[post("/acs")]
async fn acs(data: web::Data<Config>, form: web::Form<Response<String>>) -> HttpResponse {
    let response = form.0.clone();
    let validator = ResponseValidator::new(data.metadata_provider().clone());
    match validator.validate(&response, &data.key_provider()) {
        Ok(assertion) => {
            // Validate audience and issuer in the assertion
            if assertion.conditions().audience().contains(&"https://your-service.example.com".to_string()) {
                // Safe to proceed, establish session
                HttpResponse::Ok().body("SAML validated")
            } else {
                HttpResponse::BadRequest().body("Invalid audience")
            }
        }
        Err(ValidationError::SignatureVerificationFailed) => {
            HttpResponse::Unauthorized().body("Invalid signature")
        }
        Err(_) => HttpResponse::BadRequest().body("Invalid SAML response")
    }
}

Secure metadata and avoid local network exposure

Host your SAML Identity Provider metadata over HTTPS and configure the Actix service to fetch it over TLS. Do not allow metadata to be served over HTTP or from local network addresses that could be reached via Arp Spoofing. Use certificate pinning or strict TLS verification when communicating with the IdP endpoints.

Additional hardening

• Bind SAML endpoints to loopback or internal interfaces where possible, avoiding exposure on external interfaces unless behind strict network segmentation.
• Implement tight ingress controls and network segmentation so that the Actix service and IdP can communicate only over trusted paths.
• Monitor for unexpected SAML response locations or signatures, which could indicate tampering if network controls are bypassed.