Integrity Failures in Actix with Hmac Signatures

Integrity failures occur when an API does not adequately protect the integrity of requests and responses, allowing an attacker to alter data in transit or forge authenticated messages. In Actix-based services that rely on Hmac Signatures for request authentication, a common root cause is inconsistent or incomplete verification of the signature before processing business logic.

When Hmac Signatures are used, the client typically includes a signature in a header (e.g., X-Signature) computed over a canonical string that includes parts of the request such as the HTTP method, path, timestamp, nonce, and body. If the server-side Actix handler fails to validate the signature uniformly—such as by not verifying the timestamp window, not including the full raw body, or not enforcing a strict comparison—attackers can manipulate parameters, replay requests, or inject alternate content without detection.

Another specific exposure arises when middleware or route guards in Actix are configured to skip signature validation for certain paths or methods, or when developers accidentally exclude critical components (like the request body or a version header) from the signed string. This inconsistency means an attacker can submit a modified request where the body or an important parameter differs from what was signed, and the server will still accept it as valid. In JSON APIs, this might involve changing resource identifiers (BOLA/IDOR-like effects) or escalating privileges by toggling an is_admin flag that was not covered by the Hmac scope.

Additionally, if the server uses a weak or predictable key, or if the key is exposed in logs or error messages, the integrity guarantee provided by Hmac Signatures collapses. An attacker who can guess or obtain the key can forge messages that the Actix application will trust, leading to unauthorized operations. Even when the cryptographic construction is sound, implementation-level issues such as accepting multiple equivalent representations of the same data (e.g., different JSON key orderings or whitespace) can cause signature mismatches to be handled inconsistently, creating an avenue for bypass.

These integrity issues map to common categories in the OWASP API Top 10, such as Broken Object Level Authorization and Security Misconfiguration, and can be especially dangerous when combined with other weaknesses like insufficient input validation or missing rate limiting. middleBrick scans detect such inconsistencies by comparing the runtime behavior of endpoints with the definitions in an OpenAPI/Swagger spec, including $ref resolution, and flag cases where signature coverage is incomplete or verification logic is ambiguous.

To remediate integrity failures related to Hmac Signatures in Actix, ensure that signature verification is applied consistently to all relevant request dimensions and that the verification logic is strict and side-channel resistant. Below are concrete patterns and code examples that demonstrate a robust approach.

Canonical String Construction and Verification

Define a canonical representation that includes the HTTP method, request path, a timestamp, a nonce, and the raw request body. Use a constant-time comparison to prevent timing attacks. The following example shows a server-side handler in Actix-web that extracts, reconstructs, and verifies an Hmac signature.

use actix_web::{dev::Payload, web, Error, HttpRequest, HttpResponse};
use hmac::{Hmac, Mac};
use sha2::Sha256;
use std::time::{SystemTime, UNIX_EPOCH};

// Assume a secure key is loaded from configuration/secrets
static API_KEY: &[u8] = b"super-secret-key-kept-secure-and-rotated";

type HmacSha256 = Hmac;

async fn verify_hmac(req: &HttpRequest, payload_body: &str) -> bool {
    // Extract headers
    let signature_header = match req.headers().get("X-Signature") {
        Some(v) => match v.to_str().ok() {
            Some(s) => s,
            None => return false,
        },
        None => return false,
    };
    let timestamp = match req.headers().get("X-Timestamp") {
        Some(v) => match v.to_str().ok() {
            Some(s) => s,
            None => return false,
        },
        None => return false,
    };
    let nonce = match req.headers().get("X-Nonce") {
        Some(v) => match v.to_str().ok() {
            Some(s) => s,
            None => return false,
        },
        None => return false,
    };

    // Canonical string: METHOD PATH TIMESTAMP NONCE BODY
    let canonical = format!("{} {} {} {} {}", req.method(), req.path(), timestamp, nonce, payload_body);

    // Verify signature using constant-time comparison
    let mut mac = HmacSha256::new_from_slice(API_KEY).expect("HMAC can take key of any size");
    mac.update(canonical.as_bytes());
    let computed_signature = mac.finalize().into_bytes();

    // Decode the provided signature (assume hex-encoded)
    let provided_signature = match hex::decode(signature_header) {
        Ok(bytes) => bytes,
        Err(_) => return false,
    };

    // Use subtle::ConstantTimeEq to avoid timing leaks
    use subtle::ConstantTimeEq;
    computed_signature.ct_eq(&provided_signature).into()
}

async fn protected_handler(req: HttpRequest, body: String) -> HttpResponse {
    if !verify_hmac(&req, &body) {
        return HttpResponse::Unauthorized().body("Invalid signature");
    }
    // Process the request knowing integrity is preserved
    HttpResponse::Ok().body("Verified request")
}

Middleware Enforcement and Canonicalization

Apply signature verification in a dedicated Actix middleware so that all routes requiring integrity are covered uniformly. The middleware should read the raw body before deserialization to avoid issues with different JSON formatting or field ordering. Enforce checks for replay attacks by validating the timestamp window (for example, allowing a 5-minute skew) and maintaining a short-lived cache of used nonces.

use actix_web::{Error, HttpMessage, HttpRequest, dev::{ServiceRequest, ServiceResponse, Transform}, body::BoxBody};
use futures_util::future::{ok, Ready};
use std::task::{Context, Poll};

pub struct HmacValidation;

impl Transform for HmacValidation
where
    S: actix_web::dev::Service, Error = Error>,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse;
    type Error = Error;
    type Transform = HmacValidationMiddleware;
    type InitError = ();
    type Future = Ready>;

    fn new_transform(&self, service: S) -> Self::Future {
        ok(HmacValidationMiddleware { service })
    }
}

pub struct HmacValidationMiddleware {
    service: S,
}

impl actix_web::dev::Service for HmacValidationMiddleware
where
    S: actix_web::dev::Service, Error = Error>,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse;
    type Error = Error;
    type Future = std::pin::Pin>>>;

    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll> {
        self.service.poll_ready(cx)
    }

    fn call(&mut self, req: ServiceRequest) -> Self::Future {
        // Extract body bytes before processing
        let body_bytes = req.take_payload().concat2();
        let fut = async move {
            let body_slice = body_bytes.await.map_err(|e| e.into_error())?;
            let body_str = std::str::from_utf8(&body_slice).unwrap_or("");

            if !super::hmac_verify::verify_hmac(&req, body_str).await {
                return Err(actix_web::error::ErrorUnauthorized("Invalid Hmac signature"));
            }

            let res = self.service.call(req).await?;
            Ok(res.map_into_right_body())
        };
        Box::pin(fut)
    }
}