Bleichenbacher Attack in Axum with Basic Auth
Bleichenbacher Attack in Axum with Basic Auth — how this specific combination creates or exposes the vulnerability
A Bleichenbacher attack is a padding oracle attack against block cipher modes such as CBC. In Axum applications that use HTTP Basic Auth for session tokens or API keys (rather than for initial authentication), a server that returns different HTTP status codes or error messages depending on whether a decryption or MAC verification fails can act as a padding oracle. For example, an endpoint might decode a Basic Auth credential, decrypt it, and then validate its contents. If decryption errors, invalid padding, or MAC mismatches are distinguished by a 401 versus a 400 or 500 response, an attacker can iteratively decrypt ciphertext or forge valid tokens without knowing the key. This violates confidentiality and integrity of credentials carried in the token.
When Basic Auth is used naively—such as embedding a serialized struct or JWT inside the base64-encoded username:password—the token becomes a confidentiality target. An attacker who can observe timing differences or status-code behavior can exploit the Bleichenbacher adaptive-chosen-ciphertext pattern. In Axum, this often arises when a protected route decodes a token derived from Basic Auth and uses branching logic to indicate bad padding (e.g., returning 401 for invalid padding and 403 for valid-but-wrong credentials). These side channels enable recovery of plaintext or forging of new tokens, even if the transport layer uses TLS, because the oracle lives in application logic, not in the cipher suite.
In the context of the 12 security checks run by middleBrick, this scenario maps to findings in Authentication, Input Validation, and Data Exposure. middleBrick detects status-code inconsistencies and missing integrity protections that could enable adaptive chosen-ciphertext attacks. By correlating runtime behavior with OpenAPI/Swagger specifications, it flags endpoints where error handling or authentication branching may leak information about decryption or MAC validation. The scanner highlights the presence of unauthenticated or weakly protected endpoints that could be abused in a Bleichenbacher-style attack, emphasizing the need for constant-time verification and authenticated encryption.
Basic Auth-Specific Remediation in Axum — concrete code fixes
To mitigate Bleichenbacher-style attacks in Axum when Basic Auth is used, ensure that all verification paths execute in constant time and return uniform error responses. Avoid branching on cryptographic correctness; use cryptographic libraries that provide constant-time MAC verification and authenticated encryption. Do not embed sensitive data in the Basic Auth credential string; instead, use it only for initial lookup and treat the credential as an opaque token validated server-side.
Below are concrete Axum examples. The insecure example demonstrates a branching response that can be exploited; the secure example shows a hardened approach using constant-time comparison and generic error handling.
Insecure Axum Basic Auth handling (vulnerable to oracle behavior)
use axum::{
async_trait,
extract::{self, FromRequest},
http::StatusCode,
response::IntoResponse,
};
use base64::Engine;
use std::error::Error;
struct AuthenticatedUser { username: String, role: String }
struct BasicAuth(pub AuthenticatedUser);
#[async_trait]
impl extract::FromRequest for BasicAuth
where
S: Send + Sync,
{
type Rejection = (StatusCode, String);
async fn from_request(req: axum::http::Request<S>, state: &S) -> Result {
let header = req.headers().get("authorization")
.ok_or((StatusCode::UNAUTHORIZED, "missing authorization header".to_string()))?;
let header = header.to_str().map_err(|_| (StatusCode::UNAUTHORIZED, "invalid header".to_string()))?;
if !header.starts_with("Basic ") {
return Err((StatusCode::UNAUTHORIZED, "invalid authorization scheme".to_string()));
}
let encoded = &header[6..];
let decoded = base64::engine::general_purpose::STANDARD.decode(encoded)
.map_err(|_| (StatusCode::UNAUTHORIZED, "invalid base64".to_string()))?;
let token = String::from_utf8(decoded).map_err(|_| (StatusCode::UNAUTHORIZED, "invalid token encoding".to_string()))?;
// Insecure: branching on token structure or decryption errors can produce distinct status codes
if token.starts_with("expired:") {
return Err((StatusCode::UNAUTHORIZED, "token expired".to_string()));
}
// Simulated decryption; in real code this may involve AES-GCM or similar
let parts: Vec<&str> = token.split(':').collect();
if parts.len() != 2 {
return Err((StatusCode::BAD_REQUEST, "malformed token".to_string()));
}
// Simulated MAC check with branching on failure
if parts[1] != "expected_mac_here" {
return Err((StatusCode::FORBIDDEN, "invalid credentials".to_string()));
}
Ok(BasicAuth(AuthenticatedUser { username: parts[0].to_string(), role: "user".to_string() }))
}
}
async fn protected_handler(BasicAuth(user): BasicAuth) -> impl IntoResponse {
format!("Welcome {}", user.username)
}
This code illustrates multiple issues: distinct status codes for bad base64, malformed structure, and MAC failure; a branch on token metadata; and no constant-time verification. An attacker can use status-code differences to distinguish padding/MAC failures, enabling a Bleichenbacher-style adaptive attack.
Secure Axum Basic Auth handling (constant-time, uniform errors)
use axum::{
async_trait,
extract::{self, FromRequest},
http::StatusCode,
};
use subtle::ConstantTimeEq;
use base64::Engine;
struct AuthenticatedUser { username: String, role: String }
struct BasicAuth(pub AuthenticatedUser);
#[async_trait]
impl extract::FromRequest for BasicAuth
where
S: Send + Sync,
{
type Rejection = (StatusCode, String);
async fn from_request(req: axum::http::Request<S>, _state: &S) -> Result {
let header = req.headers().get("authorization")
.ok_or((StatusCode::UNAUTHORIZED, "invalid authorization".to_string()))?;
let header = header.to_str().map_err(|_| (StatusCode::UNAUTHORIZED, "invalid authorization".to_string()))?;
if !header.starts_with("Basic ") {
return Err((StatusCode::UNAUTHORIZED, "invalid authorization".to_string()));
}
let encoded = &header[6..];
let decoded = base64::engine::general_purpose::STANDARD.decode(encoded)
.map_err(|_| (StatusCode::UNAUTHORIZED, "invalid authorization".to_string()))?;
// Treat token as opaque; in practice validate via HMAC or AEAD in a constant-time fashion
let token = String::from_utf8(decoded).map_err(|_| (StatusCode::UNAUTHORIZED, "invalid authorization".to_string()))?;
// Secure: no early branching on token content; use constant-time comparison for secrets
let expected = "known_user:known_hmac_here";
if token.ct_eq(expected).into() {
let parts: Vec<&str> = token.split(':').collect();
if parts.len == 2 {
return Ok(BasicAuth(AuthenticatedUser { username: parts[0].to_string(), role: "user".to_string() }));
}
}
// Always return the same status and generic message
Err((StatusCode::UNAUTHORIZED, "invalid authorization".to_string()))
}
}
async fn protected_handler(BasicAuth(user): BasicAuth) -> impl IntoResponse {
format!("Welcome {}", user.username)
}
The secure version uses a constant-time equality check (via subtle::ConstantTimeEq) and returns a uniform error response for any failure, removing observable branching. In production, store and verify tokens using authenticated encryption (e.g., AES-GCM) or HMAC-based schemes with constant-time verification, and avoid encoding sensitive semantics in the Basic Auth credential string. middleBrick can verify that such uniform error handling and constant-time patterns are present in your Axum services.