Hallucination Attacks in Axum with Dynamodb

Hallucination attacks in an Axum service that uses DynamoDB as a backend occur when an application returns fabricated or misleading data that appears authoritative. Because Axum is a Rust web framework and DynamoDB is a managed NoSQL store, the risk centers on how data is queried, merged, and presented rather than on a flaw in middleBrick itself.

One common pattern is a DynamoDB query that uses a Scan or Query with an incomplete filter, then the application fills missing fields with locally generated content. For example, an endpoint that retrieves user profile data might query DynamoDB for a subset of attributes and, if fields like bio or preferences are missing, synthesize plausible values. An attacker can exploit this by supplying identifiers that do not exist or that map to partial records, causing the service to return convincingly structured but entirely invented information.

Insecure deserialization and type confusion can amplify the issue. If Axum routes deserialize incoming JSON into Rust structs with permissive field handling (e.g., Option<T> with defaults), an attacker may submit identifiers that map to sparse items in DynamoDB. The service may then merge default or synthetic values into the response, creating a hallucinated record that seems consistent and authoritative. PII can also be introduced when synthesized fields inadvertently resemble real user data, increasing the risk of data exposure in responses.

Another vector involves pagination and inconsistent index usage. An Axum handler might query a global secondary index that does not cover all attributes, then fabricate missing attributes to present a complete object. Because DynamoDB does not enforce a schema, items in the same table can have varying attribute sets. If the handler assumes all attributes are present and fills gaps with generated content, an attacker can probe with IDs that hit sparse items, producing responses that mix real DynamoDB data with invented content. This behavior can be chained with SSRF or input validation weaknesses to amplify impact, especially if the handler passes user-controlled identifiers into downstream requests without strict validation.

LLM/AI Security checks in middleBrick highlight these risks by detecting patterns where API responses include synthesized content not directly sourced from DynamoDB, such as outputs containing API keys or code-like strings that should not appear in ordinary profile data. While middleBrick does not remediate, its findings map to OWASP API Top 10 and can inform defensive changes in Axum route logic and DynamoDB access patterns.

Remediation focuses on strict validation, complete data retrieval, and deterministic responses. In Axum, implement handlers that validate identifiers before querying DynamoDB, ensure queries retrieve all required attributes, and avoid synthesizing missing fields.

Use strongly-typed structures and conditional checks instead of filling gaps with generated content. For example, define a DynamoDB record model that mirrors the expected attributes, and reject responses when the item does not match the expected shape.

use aws_sdk_dynamodb::types::AttributeValue;
use serde::{Deserialize, Serialize};

#[derive(Debug, Clone, Serialize, Deserialize)]
struct UserProfile {
    user_id: String,
    email: String,
    bio: Option,
    preferences: Option,
}

impl TryFrom for UserProfile {
    type Error = String;

    fn try_from(item: aws_sdk_dynamodb::types::Item) -> Result {
        let user_id = item.get("user_id")
            .and_then(|v| v.as_s().ok())
            .map(|s| s.to_string())
            .ok_or("Missing or invalid user_id")?;
        let email = item.get("email")
            .and_then(|v| v.as_s().ok())
            .map(|s| s.to_string())
            .ok_or("Missing or invalid email")?;
        let bio = item.get("bio").and_then(|v| v.as_s().ok()).map(|s| s.to_string());
        let preferences = item.get("preferences").and_then(|v| v.as_s().ok()).map(|s| s.to_string());
        Ok(UserProfile { user_id, email, bio, preferences })
    }
}

async fn get_profile(
    client: &aws_sdk_dynamodb::Client,
    table_name: &str,
    user_id: &str,
) -> Result {
    if user_id.is_empty() {
        return Err((StatusCode::BAD_REQUEST, "Invalid user_id".into()));
    }
    let resp = client.get_item()
        .table_name(table_name)
        .key("user_id", AttributeValue::S(user_id.to_string()))
        .consistent_read(true)
        .send()
        .await
        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;

    let item = resp.item().ok_or((StatusCode::NOT_FOUND, "Profile not found".to_string()))?;
    UserProfile::try_from(item.clone()).map_err(|e| (StatusCode::BAD_REQUEST, e))?;
    // Only return data that exists in DynamoDB; do not synthesize missing fields.
    Ok(UserProfile::try_from(*item).unwrap()) // handle error properly in production
}

Enforce attribute presence checks and reject partial records. If critical attributes are missing, return a 400 or 404 instead of fabricating values. This prevents an attacker from exploiting sparse items to generate convincing hallucinations.

Apply strict input validation on identifiers and use parameterized queries to avoid injection or malformed queries. For pagination, ensure index definitions include all required attributes or handle missing attributes explicitly rather than inventing defaults. Configure DynamoDB with appropriate condition expressions to enforce expected item structures when feasible.

middleBrick can be integrated into your workflow using the CLI (middlebrick scan <url>), the GitHub Action to fail builds on low security scores, or the MCP Server in compatible IDEs. These integrations help detect patterns that may lead to hallucination attacks by correlating API behavior with DynamoDB access patterns, supporting compliance mappings to OWASP API Top 10 and other frameworks.