Credential Stuffing in Rocket with Mutual Tls

Credential stuffing is an automated attack where attackers use previously leaked username and password pairs to gain unauthorized access. When an API is implemented using Rocket with mutual TLS (mTLS) as the sole authentication factor, the presence of mTLS can create a false sense of security and lead to misconfigured access controls, which may expose or exacerbate credential stuffing risks.

Rocket is a web framework for Rust. An API endpoint in Rocket can enforce mTLS by validating client certificates using a certificate authority (CA). While mTLS strongly authenticates clients, it does not prevent credential stuffing on endpoints that also accept username/password authentication. If an endpoint in Rocket combines mTLS with form-based or token-based credentials without additional protections, attackers can automate login attempts using credential lists, leveraging the mTLS channel to bypass IP-based or perimeter defenses.

Consider a Rocket route that requires both a client certificate and an API key passed in a header. If the API key is weak or leaked, an attacker can perform credential stuffing through the mTLS-secured channel. Because mTLS ensures the client possesses a valid certificate, the server may trust the session and focus validation primarily on the API key, inadvertently making automated credential testing more reliable from the attacker’s perspective.

Mutual TLS also introduces complexities around certificate management. If certificates are issued broadly or not revoked promptly when credentials are compromised, the attack surface for credential stuffing remains large. Furthermore, Rocket applications that use mTLS but lack rate limiting, account lockout, or anomaly detection on authentication endpoints are vulnerable to high-volume credential stuffing campaigns. The combination of mTLS with traditional credentials can thus shift attacks from perimeter exploitation to focused credential testing against authenticated pathways.

In practice, security scanners like middleBrick analyze such combinations by checking whether strong client authentication is paired with sufficient protections on user-supplied credentials. For example, an unauthenticated scan may detect that an endpoint enforces mTLS but still accepts a password parameter without rate limiting or multi-factor checks, highlighting a risky configuration.

To mitigate credential stuffing in Rocket while using mutual TLS, apply defense-in-depth: strengthen authentication, add anti-automation controls, and monitor for abuse. Below are concrete code examples and configurations for a Rocket application that uses mTLS correctly while minimizing credential stuffing risks.

First, configure Rocket to require and validate client certificates. Use the rocket::tls::TlsConfig to set up a certificate authority and require client authentication. The following example shows a Rocket configuration that enforces mTLS:

[default.tls]
certs = ["certs/ca.pem"]
client_ca = ["certs/ca.pem"]
require_client_auth = true

In your Rocket code, you can access the client certificate via request guards and combine it with additional checks. For example:

#[macro_use] extern crate rocket;

use rocket::http::Status;
use rocket::request::{self, Request, FromRequest};
use rocket::tls::ClientCert;

struct AuthenticatedClient { cert: ClientCert };

#[rocket::async_trait]
impl<'r> FromRequest<'r> for AuthenticatedClient {
    type Error = ();

    async fn from_request(request: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
        match request.guard::<&ClientCert>().await {
            request::Outcome::Success(cert) => request::Outcome::Success(AuthenticatedClient { cert }),
            request::Outcome::Forward(_) => request::Outcome::Failure((Status::Unauthorized, ())),
            request::Outcome::None => request::Outcome::Failure((Status::BadRequest, ())),
        }
    }
}

#[get("/secure")]
fn secure_endpoint(client: AuthenticatedClient) -> String {
    format!("Authenticated with cert: {}", client.cert.subject_name)
}

#[launch]
fn rocket() -> _ {
    rocket::build()
        .attach(TlsConfig::from_paths("certs/ca.pem", None, None).unwrap())
        .mount("/", routes![secure_endpoint])
}

Second, add rate limiting and multi-factor controls on authentication endpoints, even when mTLS is used. Use a crate like rocket_rate_limit or implement a custom guard to limit attempts per certificate+username pair:

use rocket::State;
use std::sync::Mutex;
use std::collections::HashMap;

struct RateLimiter {
    attempts: Mutex<HashMap<String, u32>>,
}

#[rocket::async_trait]
impl Fairing for RateLimiter {
    fn info(&self) -> FairingInfo {
        FairingInfo { ..FairingInfo::default() }
    }

    async fn on_request(&self, request: &mut Request<'_>) {
        let key = request.headers().get_one("X-Client-Cert").unwrap_or("unknown").to_string();
        let mut attempts = self.attempts.lock().unwrap();
        let count = attempts.entry(key).or_insert(0);
        *count += 1;
        if *count > 10 {
            request.reject();
        }
    }
}

// Attach RateLimiter to your Rocket instance
#[launch]
fn rocket() -> _ {
    rocket::build()
        .attach(TlsConfig::from_paths("certs/ca.pem", None, None).unwrap())
        .attach(RateLimiter { attempts: Mutex::new(HashMap::new()) })
        .mount("/", routes![login_endpoint])
}

Third, avoid relying solely on credentials passed over mTLS. Enforce strong password policies, use bcrypt for storage, and consider adding hardware-based second factors for high-privilege operations. middleBrick’s scans can validate that your endpoints include these protections by checking for proper rate limiting and credential handling alongside mTLS.

Finally, use the Rocket CLI tool to test your configuration: middlebrick scan <url>. This will surface findings such as missing rate limiting or weak authentication flows, helping you align mTLS usage with robust anti-credential stuffing measures.