Arp Spoofing in Chi with Basic Auth
Arp Spoofing in Chi with Basic Auth — how this specific combination creates or exposes the vulnerability
Arp Spoofing is a Layer 2 attack where an attacker sends falsified ARP messages onto a local network to associate their MAC address with the IP address of a legitimate host, such as a gateway or another service. When this occurs in a Chi-based application that relies on HTTP Basic Authentication, the combination creates a critical interception risk. Chi is an HTTP router and middleware library for Elixir, often used to build API endpoints. If a Chi service is deployed on a shared or compromised local network (for example, within a container runtime or cloud host with a misconfigured network), an attacker performing Arp Spoofing can position themselves between the client and the Chi endpoint.
Basic Authentication transmits credentials as a base64-encoded string in the Authorization header. While base64 is not encryption, the primary exposure in this scenario is not confidentiality but integrity and authentication. An attacker conducting Arp Spoofing can observe these headers in transit and, more importantly, inject or modify unencrypted HTTP requests and responses. If the Chi application does not enforce transport-layer protections, the attacker can capture valid Basic Auth credentials and reuse them in a replay attack. Additionally, the attacker might alter the request path or headers served by Chi, potentially redirecting authenticated users to malicious handlers or tampering with responses. This becomes especially dangerous when the Chi service is exposed on public IPs or through load balancers that do not terminate TLS, leaving the Basic Auth header traversing the network in cleartext.
In environments where Chi services are discovered via unauthenticated scanning, an attacker can also leverage Arp Spoofing to bypass network-level isolation. For instance, if microservices communicate internally using Basic Auth over HTTP, spoofing ARP replies can allow an attacker to impersonate a trusted service and gain unauthorized access to endpoints that assume local network trust. Because middleBrick scans endpoints without authentication, it can surface these unauthenticated attack surfaces, highlighting the absence of TLS and the use of Basic Auth on shared networks. The scanner’s checks for encryption and input validation help flag such risky configurations, but the onus remains on developers to remediate the underlying network and transport-layer weaknesses.
Basic Auth-Specific Remediation in Chi — concrete code fixes
Remediation focuses on eliminating cleartext transmission of credentials and strengthening the authentication boundary in Chi applications. The most effective approach is to enforce HTTPS for all routes, ensuring that the Authorization header is encrypted in transit. If TLS termination occurs at a load balancer, ensure that the connection between the balancer and the Chi service is also encrypted. Below are concrete code examples that demonstrate how to implement secure authentication in Chi.
Example 1: Enforce HTTPS and require secure cookies
Use Plug.SSL to redirect all HTTP traffic to HTTPS and set secure headers. This should be part of your endpoint pipeline before routes are dispatched.
defmodule MyApp.Endpoint do
use Plug.Router
plug Plug.SSL, rewrite_on: [:x_forwarded_proto], host: true
plug Plug.Parsers, parsers: [:urlencoded, :json]
plug Plug.MethodOverride
plug Plug.Head
# Your routes here
plug :match
plug :dispatch
end
Example 2: Custom Basic Auth plug with credential validation
Implement a plug that validates the Authorization header without relying on Basic Auth’s default transmission. Avoid using Plug.BasicAuth directly if it encourages HTTP usage. Instead, manually parse and verify credentials over HTTPS.
defmodule MyApp.BasicAuthPlug do
import Plug.Conn
def init(opts), do: opts
def call(conn, _opts) do
case get_req_header(conn, "authorization") do
["Basic " <> encoded] ->
case Base.decode64(encoded) do
{:ok, "user:pass"} ->
# Replace with secure credential lookup, e.g., database or vault
assign(conn, :authenticated_user, "user")
_ ->
send_resp(conn, 401, "Unauthorized")
halt(conn)
end
_ ->
send_resp(conn, 401, "Authorization header missing")
halt(conn)
end
end
end
Example 3: Integrate with a secure session or token approach
After validating credentials, avoid continuing to use Basic Auth for subsequent requests. Instead, issue a short-lived token or session cookie with secure and httpOnly flags. Below is a simplified example of issuing a token after successful Basic Auth validation.
defmodule MyApp.AuthController do
use Chi.Dsl
get "/login" do
conn = MyApp.BasicAuthPlug.call(conn, [])
if conn.assigns[:authenticated_user] do
token = MyApp.Token.generate(conn.assigns[:authenticated_user])
conn
|> put_resp_cookie("auth_token", token, http_only: true, secure: true, same_site: "Lax")
|> send_resp(200, %{"status" => "authenticated"} |> Jason.encode!())
else
send_resp(conn, 401, "Invalid credentials")
end
end
end
These examples illustrate how to move away from relying on HTTP Basic Auth over cleartext channels. By combining HTTPS enforcement, manual credential validation, and token-based session management, Chi applications can mitigate the risks introduced by Arp Spoofing and credential interception.