Arp Spoofing in Hanami (Ruby)
Arp Spoofing in Hanami with Ruby — how this specific combination creates or exposes the vulnerability
Arp spoofing (or ARP poisoning) is a network-layer attack where an attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate host (such as a gateway or another server). This enables man-in-the-middle (MITM) interception of traffic. While ARP spoofing operates at OSI Layer 2 and is not specific to any web framework, Hanami applications written in Ruby are exposed when deployed in environments where network segmentation is weak or where services communicate over untrusted local networks — common in development setups, containerized staging environments, or misconfigured cloud VPCs.
Hanami’s architecture, which emphasizes separation of concerns via slices, actions, and views, does not inherently mitigate network-layer risks. If a Hanami API service runs on a host without proper ARP security controls (e.g., static ARP entries, DHCP snooping, or dynamic ARP inspection on switches), an attacker on the same broadcast domain can poison ARP caches to redirect traffic intended for the Hanami server through their machine. Since Hanami relies on standard Rack handlers (like Puma or WEBrick) to serve HTTP requests, all inbound API traffic — including authentication tokens, payloads, and responses — becomes visible to the attacker if not encrypted at the transport layer.
This risk is exacerbated in Ruby/Hanami deployments where:
- Services communicate internally over HTTP (not HTTPS) in microservice architectures.
- Development or staging environments use flat network topologies (e.g., Docker compose without network isolation).
- Cloud instances lack metadata protection or are placed in shared security groups with overly permissive ingress rules.
For example, if a Hanami API at http://api.internal:2300 is targeted via ARP spoofing, an attacker can capture session cookies, API keys, or even modify requests in transit — such as altering params in a Hanami action to trigger unintended behavior. While Hanami’s strong typing and form objects help prevent injection flaws, they do not protect against network eavesdropping or tampering when traffic is unencrypted.
middleBrick detects exposure to such network-level risks during its unauthenticated scan by identifying services listening on internal or private IPs without transport encryption. Although it does not perform active ARP spoofing (as that requires layer-2 access), it flags unencrypted HTTP endpoints on non-loopback interfaces as high-risk findings, especially when combined with missing HSTS or weak TLS configurations — guiding teams to enforce encryption-in-transit as a compensating control.
Ruby-Specific Remediation in Hanami — concrete code fixes
Since ARP spoofing is a network-layer vulnerability, remediation in a Hanami/Ruby context focuses on eliminating the conditions that make the attack impactful: unencrypted internal traffic and excessive network trust. There are no Ruby or Hanami-specific code changes that prevent ARP spoofing itself, but developers can enforce transport security and reduce blast radius through configuration and defensive coding practices.
The most effective remediation is to enforce HTTPS for all Hanami service-to-service communication, even in internal networks. This ensures that even if ARP is poisoned, the attacker cannot read or modify application data without breaking TLS — which would trigger certificate errors in clients.
In Hanami 2.0+, you can enforce SSL by configuring the Rack server to require HTTPS and using middleware to redirect HTTP requests. Below is a syntactically correct example for a Hanami application using Puma:
# config/puma.rb
environment ENV.fetch('HANAMI_ENV') { 'development' }
if ENV['HANAMI_ENV'] == 'production' || ENV['FORCE_SSL']
ssl_bind '0.0.0.0', '9292', {
key: ENV.fetch('SSL_KEY_PATH'),
cert: ENV.fetch('SSL_CERT_PATH'),
verify_mode: 'none'
}
else
bind 'tcp://0.0.0.0:9292'
end
# Optional: Redirect HTTP to HTTPS in development/staging if using a reverse proxy
# Not needed if proxy handles TLS termination
Within the Hanami slice, use Hanami::Action with handle_exception to enforce secure headers and prevent mixed-content risks:
# lib/web/api/controllers/base_action.rb
module Web
module Api
module Controllers
class BaseAction < Hanami::Action
config.handle_exception = true
before :enforce_ssl_headers
private
def enforce_ssl_headers
headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubDomains; preload'
headers['X-Content-Type-Options'] = 'nosniff'
# Ensures browsers enforce HTTPS if HSTS is honored
end
end
end
end
end
# Then inherit from BaseAction in all API actions:
# module Web::Api::Controllers::Users
# class Show < BaseAction
# # ...
# end
# end
Additionally, use Hanami’s settings to enforce secure cookies:
# config/settings.rb
Hanami.application.configure do
config.cookies = {
secure: true, # Only send cookies over HTTPS
httponly: true,
same_site: :lax,
domain: :all # Restrict to your domain
}
end
Finally, deploy Hanami behind a service mesh (e.g., Istio, Linkerd) or use Kubernetes network policies to isolate pods — preventing lateral movement even if ARP spoofing occurs at the node level. middleBrick supports scanning these internal APIs via its CLI or GitHub Action, verifying that encryption-in-transit is enforced and flagging any HTTP endpoints exposed on private networks as medium- to high-severity findings.