Arp Spoofing in Axum with Basic Auth
Arp Spoofing in Axum with Basic Auth — how this specific combination creates or exposes the vulnerability
Arp spoofing is a link-layer attack where an adversary sends falsified Address Resolution Protocol replies to associate their MAC address with the IP address of a legitimate target, such as an API server or a client. When Basic Auth is used in an Axum service without transport-layer protection, the credentials are transmitted in an easily recoverable format on each request. In an environment where arp spoofing is feasible, an attacker positioned on the same local network can intercept these requests and recover the Base64-encoded credentials, which are only trivially reversible to their original values.
The combination is particularly risky because Basic Auth does not encrypt the credentials; it only encodes them. If an attacker successfully spoofs the ARP tables between a client and an Axum endpoint, they can observe the HTTP traffic and extract the Authorization header values. Even when the service is not directly exposed to untrusted networks, misconfigured local subnets or shared host environments (e.g., containers or cloud instances on the same VLAN) can increase the attack surface. Axum applications that terminate TLS correctly protect against this on the wire, but development or staging environments sometimes omit strict transport enforcement, inadvertently allowing plaintext authentication to traverse compromised links.
An attacker leveraging arp spoofing against an Axum API using Basic Auth does not need to exploit application-level logic such as BOLA/IDOR or Unsafe Consumption. The risk shifts to the transport and configuration layer: if TLS is not enforced or certificates are not validated, the intercepted credentials can be reused in session hijacking or replay attacks against the same endpoint. Because the Axum runtime processes requests as they arrive, intercepted traffic can be replayed as long as the credentials remain valid, emphasizing the importance of binding authentication to secure channels rather than relying on obscurity or network isolation alone.
Basic Auth-Specific Remediation in Axum — concrete code fixes
Remediation centers on preventing credentials from traversing the network in recoverable form. The primary approach is to enforce HTTPS for all routes and to avoid sending credentials in the Authorization header over plaintext HTTP. Below are concrete Axum examples that demonstrate a secure pattern: using middleware to reject cleartext HTTP and requiring TLS for authenticated routes.
use axum::{
async_trait, body::Body, extract::FromRequest, http::request::Parts, middleware, Router,
};
use std::{future::ready, sync::Arc};
/// A simple HTTPS-only guard that rejects requests on non-TLS connections.
#[derive(Clone)]
struct HttpsOnly;
#[async_trait]
axum::extract::FromRequest for HttpsOnly
where
S: Send + Sync,
{
type Rejection = (axum::http::StatusCode, String);
async fn from_request(req: axum::http::Request<_>, _state: &S) -> Result {
// In a real deployment, inspect whether the request has been terminated with TLS.
// This placeholder demonstrates intent: reject if scheme is not https.
if req.uri().scheme_str() != Some("https") {
return Err((axum::http::StatusCode::FORBIDDEN, "HTTPS required".to_string()));
}
Ok(HttpsOnly)
}
}
async fn handler() -> &'static str {
"Authenticated and over TLS"
}
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/secure", axum::routing::get(handler).layer(middleware::from_fn_with_state(
(),
|_, _| async { Ok::<_, (axum::http::StatusCode, String)>(HttpsOnly) },
)));
// In production, bind to a TLS listener.
// axum::Server::bind(&"0.0.0.0:8443".parse().unwrap())
// .https(tower_rustls::RustlsConfig::from_pem_file("cert.pem", "key.pem").unwrap())
// .serve(app.into_make_service())
// .await
// .unwrap();
}
For Basic Auth specifically, store credentials outside the source tree and validate them over TLS. Below is an Axum handler that extracts the Authorization header, checks credentials, and ensures the request was made over HTTPS. This pattern avoids embedding secrets in code and demonstrates how to integrate strict transport checks with authentication logic.
use axum::{
async_trait, extract::Extension, http::header, middleware, Router,
body::Body,
http::{Request, StatusCode},
};
use std::net::SocketAddr;
use tower_http::auth::{AuthLayer, Authorization, BearerAuth};
async fn validate_credentials(username: &str, password: &str) -> bool {
// Replace with secure constant-time comparison and a backend lookup.
username == "admin" && password == "s3cur3P@ss!"
}
async fn handler() -> &'static str {
"Authenticated over HTTPS"
}
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/api", axum::routing::get(handler))
.layer(middleware::from_fn(|req: Request<Body>, next| async move {
// Enforce HTTPS before processing authentication.
if req.uri().scheme_str() != Some("https") {
return Err((StatusCode::FORBIDDEN, "HTTPS required"));
}
Ok(next.run(req).await)
}));
// In production, bind with TLS using tower_rustls or similar.
// let listener = TcpListener::bind("0.0.0.0:8443").await.unwrap();
// axum::serve(listener, app).await.unwrap();
}