Credential Stuffing in Chi with Mutual Tls

Credential stuffing relies on automated login requests using breached username and password pairs. In Chi, where Mutual TLS (mTLS) is used for client authentication, the presence of mTLS does not inherently prevent automated requests; it only changes how the client proves identity. If an attacker can obtain or guess valid client certificates (or if certificates are issued too broadly), they can automate credential attempts while presenting a valid mTLS credential. This combination therefore exposes two independent authentication surfaces: something the client knows (username/password) and something the client has (the certificate). The risk is that leaked or weak client certificates enable high-volume, seemingly legitimate TLS handshakes that bypass network-level access controls, allowing attackers to iterate over credentials without triggering IP-based rate limiting that might otherwise detect non-mTLS traffic.

Mutual TLS in Chi is often configured to require client certificates for certain routes or services, typically enforced at the ingress or API gateway level. When mTLS is used alongside traditional password-based authentication (e.g., form login or API tokens), the attack surface expands. An attacker who has harvested credentials may attempt to replay requests with both valid credentials and a compromised client certificate. Because TLS termination and client certificate validation occur early in the connection, application-level protections such as account lockout or CAPTCHA may not be engaged if the mTLS check passes but the application logic does not correlate certificate identity with user-specific rate limits.

Moreover, certificate issuance and management practices in Chi may inadvertently enable credential stuffing. If client certificates are issued per-service or per-device and not tightly bound to individual users, compromised certificates can be reused to launch credential attacks across multiple accounts. Scanning with middleBrick reveals whether unauthenticated endpoints inadvertently accept requests with mTLS credentials while lacking sufficient application-layer throttling or anomaly detection. Findings may highlight missing correlation between client certificate identity and user session rate limiting, which attackers can exploit to test credentials at scale while appearing as authorized clients.

For example, an unauthenticated scan can detect whether login endpoints that require mTLS also enforce request-rate controls at the user level. Without such controls, an attacker can iterate username and password combinations while presenting a valid client certificate, effectively bypassing protections that would otherwise mitigate brute-force or credential stuffing attempts. middleBrick’s checks for Rate Limiting and Authentication surface these gaps by observing whether responses differ when mTLS is presented versus when it is absent, and whether account-specific throttling is enforced independently of the TLS layer.

Additionally, insecure handling of certificate revocation can amplify risk. If a compromised client certificate is not promptly revoked or if certificate revocation lists (CRLs) are not enforced, attackers can continue to use stolen credentials paired with valid mTLS during the window of exposure. The scan’s Inventory Management checks can surface endpoints that accept revoked or suspect certificates, highlighting the need for strict revocation and tighter binding between identities and credentials.

Remediation focuses on tying client certificate identity to application-level authentication and enforcing rate limits per certificate or per user-principal. In Chi, you can configure your HTTP client and server to present and validate client certificates explicitly and to correlate TLS identities with user accounts.

Chi HTTP client with mTLS (example using req and rustls)

use reqwest::Client;
use std::fs;
use tokio;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let cert = fs::read("client.crt")?;
    let key = fs::read("client.key")?;
    let certs = vec![rustls::Certificate(cert)];
    let mut keys = vec![rustls::PrivateKey(key)];

    let client_cert = reqwest::tls::Certificate::from_pem(&include_bytes!("ca.crt")[..])?;

    let tls_config = rustls::ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates({
            let mut roots = rustls::RootCertStore::empty();
            roots.add(&client_cert)?;
            roots
        })
        .with_single_cert(certs, keys.remove(0))?;

    let client = Client::builder()
        .use_preconfigured_tls(tls_config)
        .build()?;

    let res = client
        .post("https://api.chi.example.com/login")
        .basic_auth("username", Some("password"))
        .send()
        .await?;

    println!("Status: {}", res.status());
    Ok(())
}

Chi HTTP server with mTLS verification and user binding (example using warp and rustls)

use warp::Filter;
use std::sync::Arc;
use rustls::{ServerConfig, Certificate, PrivateKey};
use std::convert::Infallible;

async fn verify_client_identity(
    tls_info: warp::tls::TlsInfo,
    user_creds: (String, String),
) -> Result<impl warp::Reply, Infallible> {
    // Example: correlate certificate subject with user credentials
    let subject = tls_info
        .peer_certificate()
        .and_then(|certs| certs.first())
        .and_then(|cert| {
            // extract subject common name or other identifier
            // pseudo-code: parse cert.subject()
            Some("CN=alice")
        });

    match subject {
        Some(cn) if cn == "CN=alice" && user_creds.0 == "alice" && user_creds.1 == "secret" =
> Ok(warp::reply::json(&("authenticated", cn))),
        _ => Ok(warp::reply::with_status(
            warp::reply::json(&("unauthorized",)),
            warp::http::StatusCode::FORBIDDEN,
        )),
    }
}

fn config_mtls() -> ServerConfig {
    // Load server cert/key and trusted client CA
    // pseudo-code: load certs and keys
    ServerConfig::builder()
        .with_safe_defaults()
        .with_client_cert_verifier(Arc::new(|_end_entity, intermediates| {
            // validate client cert against trusted CA
            Ok(())
        }))
        .unwrap()
}

#[tokio::main]
async fn main() {
    let tls_config = config_mtls();

    let login = warp::post()
        .and(warp::path("login"))
        .and(warp::tls::maybe_config(tls_config).map(|tls: Option<warp::tls::TlsInfo>| tls.unwrap()))
        .and(warp::body::form())
        .and_then(verify_client_identity);

    warp::serve(login).run(([127, 0, 0, 1], 3030)).await;
}

Operational and policy fixes

• Bind client certificate identifiers to user accounts and enforce per-user or per-certificate rate limits at the application layer, not only at the network or TLS layer.
• Implement short-lived client certificates and automate revocation when credentials are compromised or when suspicious activity is detected.
• Ensure that login endpoints requiring mTLS also apply application-specific authentication checks (e.g., validating password freshness, breached password detection) and do not rely solely on TLS authentication.
• Correlate TLS client certificate metadata (subject, serial) with authentication events to detect credential stuffing attempts that present valid mTLS credentials.

By combining mTLS with strong per-identity rate limiting and explicit binding between certificate identities and user accounts, you reduce the risk that stolen credentials can be used at scale while still leveraging mTLS for transport security.