Broken Access Control in Axum
How Broken Access Control Manifests in Axum
Broken Access Control in Axum applications typically emerges from missing or improperly implemented authorization checks. Since Axum is an async web framework built on Rust's type system, vulnerabilities often stem from architectural decisions that bypass the compiler's safety guarantees.
One common pattern involves extractors that authenticate but don't authorize. Consider this flawed middleware:
async fn auth_middleware(req: Request) -> Result, Error> {
let auth_header = req.headers().get("Authorization");
if let Some(auth) = auth_header {
// Verify token but don't enforce any role-based checks
let user = verify_token(auth)?;
req.extensions_mut().insert(user);
Ok(req)
} else {
Err(Error::Unauthorized)
}
}
// Route handler that trusts the middleware without further checks
app.route("/admin", Method::GET).with(auth_middleware).with(admin_handler); The middleware authenticates but doesn't verify the user has admin privileges. The handler must perform its own authorization check, which developers often forget.
Another Axum-specific manifestation occurs with TypedMap and Extension extractors. When state is shared across handlers without proper isolation:
app.route("/user/profile/:id", Method::GET)
.with(get_user_profile); // No authorization check
async fn get_user_profile(
Extension(db): Extension<PgPool>,
Path(user_id): Path<UserId>,
) -> Result<Json<UserProfile>> {
// No verification that the authenticated user owns this profile
let profile = db.get_user_profile(user_id).await?;
Ok(Json(profile))
}This exposes IDOR (Insecure Direct Object Reference) vulnerabilities where any authenticated user can access any profile by changing the ID parameter.
Property-level authorization failures are particularly subtle in Axum. When returning data structures, developers often forget to filter sensitive fields:
async fn get_user_data(
Extension(db): Extension<PgPool>,
user_id: Path<UserId>,
) -> Result<Json<UserData>> {
let user = db.get_user(user_id).await?;
// Returns ALL fields including sensitive ones like SSN, payment info
Ok(Json(user))
}The Rust compiler won't warn you about missing authorization logic—it's a logic error, not a type error.
Axum-Specific Detection
Detecting Broken Access Control in Axum requires examining both the route structure and the data flow through extractors. Start by auditing your Router configuration:
let app = Router::new()
.route("/admin", Method::GET, admin_route)
.route("/user/:id", Method::GET, user_route)
.layer(Trace::new_for_http());Look for routes that handle sensitive resources without explicit authorization middleware. In Axum, this means checking if your handlers use Extension<User> or similar extractors and then verify permissions.
middleBrick's black-box scanning can identify these vulnerabilities without requiring source code access. The scanner tests for:
- IDOR vulnerabilities by manipulating path parameters across different authenticated sessions
- Missing authorization checks by attempting privileged actions with regular user credentials
- Property exposure by analyzing response structures for sensitive data leakage
- Authentication bypass attempts on endpoints that should require authentication
For Axum applications specifically, middleBrick examines the unauthenticated attack surface and tests authorization boundaries. The scanner will attempt to access admin endpoints with regular user credentials, modify resource identifiers in requests, and analyze response payloads for data that shouldn't be exposed to the requesting user.
You can integrate middleBrick into your development workflow using the CLI:
npx middlebrick scan https://api.your-app.com --output jsonOr add it to your CI/CD pipeline with the GitHub Action to automatically scan staging APIs before deployment:
- name: Run middleBrick Security Scan
uses: middlebrick/middlebrick-action@v1
with:
target_url: ${{ secrets.API_URL }}
fail_below_score: BThe scanner provides specific findings about authorization failures, including which endpoints are vulnerable and what data could be accessed by unauthorized users.
Axum-Specific Remediation
Remediating Broken Access Control in Axum requires a defense-in-depth approach using the framework's native capabilities. Start with a robust authorization middleware that checks permissions before reaching handlers:
use axum_extra::extract::Extension;
struct AuthenticatedUser {
id: UserId,
role: Role,
}
struct AdminGuard;
#[async_trait]
impl FromRequest for AdminGuard
where
B: Send,
{
type Rejection = StatusCode;
async fn from_request(req: &mut RequestParts<B>) -> Result<Self, Self::Rejection> {
let user = Extension::AuthenticatedUser::from_request(req)
.await
.map_err(|_| StatusCode::UNAUTHORIZED)?;
if user.role != Role::Admin {
return Err(StatusCode::FORBIDDEN);
}
Ok(AdminGuard)
}
}
// Now enforce admin role at the route level
app.route("/admin", Method::GET)
.with(AdminGuard)
.with(admin_handler);This pattern ensures authorization is checked before the handler executes, preventing accidental exposure.
For IDOR prevention, implement resource ownership verification:
async fn get_user_profile(
Extension(db): Extension<PgPool>,
Path(user_id): Path<UserId>,
Extension(user): Extension<AuthenticatedUser>,
) -> Result<Json<UserProfile>> {
// Verify the authenticated user owns this profile
if user.id != user_id {
return Err(StatusCode::FORBIDDEN.into());
}
let profile = db.get_user_profile(user_id).await?;
Ok(Json(profile))
}For property-level authorization, create response DTOs that explicitly control what data is exposed:
#[derive(Serialize)]
struct UserProfileResponse {
id: UserId,
username: String,
email: String,
// Sensitive fields omitted
}
async fn get_user_profile(
Extension(db): Extension<PgPool>,
Path(user_id): Path<UserId>,
Extension(user): Extension<AuthenticatedUser>,
) -> Result<Json<UserProfileResponse>> {
let profile = db.get_user_profile(user_id).await?;
// Only return safe fields
let response = UserProfileResponse {
id: profile.id,
username: profile.username,
email: profile.email,
};
Ok(Json(response))
}Consider using the tower::auth crate for more sophisticated authorization policies:
use tower::auth::{AsyncAuthorize, AuthorizeRequest};
struct PermissionAuthorizer;
#[async_trait]
impl AuthorizeRequest for PermissionAuthorizer {
type Request = Request;
type Response = Request;
type Error = StatusCode;
type Future = Ready<Result<Request, StatusCode>>;
n async fn authorize(&mut self, req: Request) -> Self::Future {
let user = req.extensions().get::<AuthenticatedUser>();
if let Some(user) = user {
if user.has_permission("access_profile") {
return ready(Ok(req));
}
}
ready(Err(StatusCode::FORBIDDEN))
}
}
// Apply as a middleware layer
let app = Router::new()
.route("/profile/:id", Method::GET, get_profile)
.layer(PermissionAuthorizer::new());Finally, implement comprehensive logging for authorization failures to detect and respond to attacks:
use tracing::{info, error};
async fn sensitive_operation(
Extension(db): Extension<PgPool>,
Extension(user): Extension<AuthenticatedUser>,
) -> Result<Json<SensitiveData>> {
if !user.has_permission("access_sensitive") {
error!(user_id = %user.id, "Unauthorized access attempt to sensitive data");
return Err(StatusCode::FORBIDDEN.into());
}
let data = db.get_sensitive_data().await?;
Ok(Json(data))
}