Arp Spoofing in Adonisjs with Jwt Tokens

Arp spoofing is a network-layer attack where an adversary sends falsified Address Resolution Protocol messages to associate their MAC address with the IP address of another host, typically the default gateway. In an AdonisJS application that relies on JWT tokens for authentication, arp spoofing does not directly compromise the cryptographic integrity of the token, but it creates conditions that enable session hijacking and token theft. When an attacker is on the same local network and successfully spoofs the gateway or another trusted host, they can intercept, modify, or observe unencrypted traffic between clients and the AdonisJS server.

If the client communicates over HTTP rather than HTTPS, JWT tokens transmitted in request headers (e.g., Authorization: Bearer ) are visible to the attacker. Even when HTTPS is used, a man-in-the-middle position obtained via arp spoofing can facilitate SSL/TLS stripping or other downgrade attacks if the client does not enforce strict certificate validation. In AdonisJS, this becomes a JWT-specific risk when tokens are passed in headers or query parameters and the transport is not sufficiently protected. An attacker who captures a valid JWT can replay it to access protected endpoints, regardless of the token’s internal signature, because the server treats the token as proof of authentication. Therefore, the combination of arp spoofing and JWT-based authentication exposes a gap in transport assurance: the token’s validity is trusted, but the environment in which it is transmitted can be compromised.

Additionally, compromised network positioning can allow the attacker to inject malicious JavaScript or alter API responses if the AdonisJS server does not implement strong Content Security Policy (CSP) and subresource integrity. While JWT tokens themselves are not altered, the context around their usage becomes unsafe. The server-side logic in AdonisJS that validates and uses JWTs typically assumes a certain trust boundary at the network level; arp spoofing breaks that assumption. This is especially relevant for applications where the API is consumed by single-page applications or mobile clients that authenticate once and rely on token replay. Without mandatory HTTPS and additional network-level protections, the attack surface is expanded, and the JWT mechanism cannot compensate for a vulnerable communication channel.

Remediation focuses on ensuring JWT tokens are never exposed to network-level attacks and that the AdonisJS application enforces secure transport and token handling. The primary fix is to mandate HTTPS across all endpoints, including API routes and authentication flows, so that even if arp spoofing occurs, the token is encrypted in transit. In AdonisJS, this is typically enforced at the infrastructure or reverse proxy layer, but the application should reject insecure requests when possible.

Second, JWT tokens must be protected with the HttpOnly, Secure, and SameSite attributes when stored in cookies, preventing access via JavaScript and reducing exposure to interception. Avoid storing JWTs in local storage, as it is trivially accessible to malicious scripts delivered via arp spoofing or XSS. If your AdonisJS application sets cookies during authentication, configure them explicitly.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { schema } from '@ioc:Adonis/Core/Validator'
import { Token } from '@ioc:Adonis/Addons/Auth'

export default class SessionsController {
  public async store({ request, auth, response }: HttpContextContract) {
    const email = request.input('email')
    const password = request.input('password')

    const token = await auth.attempt(email, password)

    return response.cookie('auth_token', token, {
      httpOnly: true,
      secure: true, // only sent over HTTPS
      sameSite: 'strict',
      path: '/',
      maxAge: 86400000, // 24 hours
    }).json({ message: 'Authenticated' })
  }
}