Data Exposure in Actix with Basic Auth
Data Exposure in Actix with Basic Auth — how this specific combination creates or exposes the vulnerability
Actix is a widely used Rust web framework that provides strong performance and type safety. When Basic Authentication is used without additional protections, two characteristics of Actix can contribute to data exposure in unauthenticated scans:
- Routing and handler exposure: Actix applications often expose multiple routes under common prefixes. If an endpoint relies solely on Basic Auth for access control and returns sensitive data (for example, user details, tokens, or internal objects), a black-box scan that does not send credentials can still observe data leaks if the handler does not consistently reject unauthenticated requests.
- Serialization behavior: Actix-web typically serializes response bodies using Serde. If a handler accidentally includes sensitive struct fields (such as internal IDs, emails, or session metadata) and the developer assumes authentication will always block access, an unauthenticated probe can receive those fields in JSON or XML responses. This becomes especially relevant when CORS or debug handlers are present, as they may relax expected origin or header constraints.
middleBrick tests this combination by sending requests without credentials and checking whether responses contain data that should be restricted. Findings categorized under Data Exposure often include plaintext secrets in JSON, verbose stack traces, or overly permissive CORS headers that allow cross-origin leakage. These findings map to OWASP API Top 10 (2023) API1:2023 — Broken Object Level Authorization and API2:2023 — Broken Authentication, and can intersect with compliance requirements such as PCI-DSS and GDPR if personal data is exposed.
In practice, a scan may detect an Actix endpoint that returns a 200 status with user profile data despite missing or malformed Authorization headers. This indicates the handler does not properly gate data behind authentication checks, or that the middleware responsible for validating credentials is misconfigured or bypassed. Because Basic Auth credentials are base64-encoded and not encrypted without TLS, an attacker on a shared network could intercept them; scanning over HTTP can therefore reveal whether the application depends on transport security alone, which is insufficient for protecting data in modern threat models.
When such findings appear in a middleBrick report, they include severity, affected endpoint, request/response samples, and remediation guidance. The tool also cross-references any OpenAPI/Swagger spec (2.0, 3.0, 3.1) with full $ref resolution to see whether security schemes are declared but not enforced at the handler level, helping developers understand whether the design intent mismatches runtime behavior.
Basic Auth-Specific Remediation in Actix — concrete code fixes
Remediation focuses on ensuring that every handler requiring authentication validates credentials explicitly and never relies on obscurity or transport security alone. Below are concrete Actix examples that demonstrate secure patterns.
Example 1: Explicit Basic Auth validation in a handler
Use middleware or extractor-level checks rather than relying on route ordering. This pattern validates credentials and returns 401 before processing business logic.
use actix_web::{web, App, HttpResponse, HttpServer, Responder, dev::ServiceRequest, Error};
use actix_web::http::header::HeaderValue;
use actix_web::http::StatusCode;
use base64::decode;
async fn validate_credentials(req: ServiceRequest) -> Result {
const VALID_USER: &str = "admin";
const VALID_PASS: &str = "S3cur3P@ss!";
let auth_header = req.headers().get("authorization")
.ok_or((StatusCode::UNAUTHORIZED, "Missing Authorization header".into()))?;
let auth_str = auth_header.to_str().map_err(|_| (StatusCode::UNAUTHORIZED, "Invalid header format".into()))?;
if !auth_str.starts_with("Basic ") {
return Err((StatusCode::UNAUTHORIZED, "Invalid authentication scheme".into()));
}
let encoded = auth_str.trim_start_matches("Basic ");
let decoded = decode(encoded).map_err(|_| (StatusCode::UNAUTHORIZED, "Invalid base64"))?;
let creds = String::from_utf8(decoded).map_err(|_| (StatusCode::UNAUTHORIZED, "Invalid credentials format"))?;
let parts: Vec<&str> = creds.splitn(2, ':').collect();
if parts.len() != 2 || parts[0] != VALID_USER || parts[1] != VALID_PASS {
return Err((StatusCode::UNAUTHORIZED, "Invalid username or password".into()));
}
Ok(req)
}
async fn secure_profile() -> impl Responder {
HttpResponse::Ok().json(serde_json::json!({ "profile": "public info" }))
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.route("/api/profile", web::get().to(|req: ServiceRequest| async move {
validate_credentials(req).await?;
secure_profile().await
}))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
Example 2: Using default headers and guards for CORS and error handling
Ensure responses do not include sensitive headers and that CORS does not inadvertently widen exposure. Combine middleware with secure defaults.
use actix_cors::Cors;
use actix_web::{web, App, HttpResponse, HttpServer, Responder, Result};
async fn get_user_data() -> Result<impl Responder> {
// Only return data after explicit auth checks upstream
Ok(HttpResponse::Ok()
.insert_header(("X-Content-Type-Options", "nosniff"))
.json(serde_json::json!({ "user": "alice", "role": "admin" })))
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
let cors = Cors::default()
.allowed_origin("https://trusted.example.com")
.allowed_methods(vec!["GET"])
.max_age(3600);
HttpServer::new(move || {
App::new()
.wrap(cors.clone())
.route("/api/user", web::get().to(get_user_data))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
Key points for remediation:
- Always require credentials via an extractor or middleware and return 401 for missing or invalid authentication.
- Never include sensitive fields in responses, even if tests are run without credentials; validate serialization output.
- Use HTTPS in production to protect credentials in transit; Basic Auth over HTTP is unsafe regardless of other controls.
- Audit CORS and debug routes to ensure they do not relax security requirements or expose additional data.
After applying these fixes, re-run the middleBrick scan to confirm that Data Exposure findings are resolved and that no new issues are introduced.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |