Nosql Injection in Actix with Mutual Tls

When an Actix web service accepts untrusted input and uses it to build a NoSQL query, NoSQL Injection can occur regardless of whether the transport is protected by Mutual TLS. Mutual TLS authenticates the client to the server and encrypts the channel, but it does not change how the server parses and uses request data. If an endpoint concatenates user-controlled values into a MongoDB or CouchDB query, an authenticated client can inject operators such as $ne, $where, or $or to bypass authorization or exfiltrate data. The risk is especially subtle in Actix because developers may assume that mTLS alone constrains what a valid client can send, while the application logic still treats the payload as trusted.

Consider an Actix handler that uses a JSON body to filter user records. Without input validation, an attacker can supply {"username": {"$ne": ""}} to retrieve all users, or {"role": {"$in": [{"$ne": "user"}]}} to escalate privileges. These payloads are delivered over an mTLS-encrypted connection, so the server sees a properly authenticated client. The server then deserializes the JSON and directly interpolates it into a query, effectively treating attacker-controlled structure as part of the query language. This is a classic NoSQL Injection (OWASP API Top 10:2023 A1 — Broken Object Level Authorization, often realized through injection), and it maps to real-world techniques such as MongoDB injection documented in CVE-2019-21697-like patterns where query selectors are manipulated to bypass intended filters.

middleBrick scans this surface during black-box testing by submitting authenticated-like requests (using the submitted mTLS client certificate when configured in testing scenarios) and observing whether operators are interpreted as query logic rather than literal data. The scanner checks for unvalidated use of operators such as $gt, $lt, $regex, and $where in inputs that reach the database layer. Even with mTLS ensuring identity, the absence of schema validation and strict type checking allows attackers to manipulate query semantics. Proper remediation requires treating all external data as untrusted, regardless of transport security, and enforcing strict allowlists on field names and values before constructing queries.

In an Actix service using a MongoDB driver, a vulnerable pattern might look like extracting a JSON value and passing it directly into a filter document. An attacker who controls the JSON can introduce nested operators that the driver interprets as command syntax. middleBrick’s LLM/AI Security checks are not relevant here, but its standard API security checks validate whether input validation and property authorization prevent such injection. The scanner’s unauthenticated attack surface testing can simulate an authenticated client over mTLS to verify that query building is guarded by explicit schema validation and that runtime behavior does not inadvertently honor injection operators.

Securing an Actix service with Mutual TLS does not remove the need for input validation and query parameterization. mTLS ensures that only clients with a trusted certificate can connect, but the application must still validate and sanitize the content of each request. To remediate NoSQL Injection, define strict schemas for incoming JSON, reject fields that are not expected, and avoid building queries by string concatenation. Use typed structures and safe query builder methods instead of raw operator insertion.

Below are concrete Actix examples that demonstrate how to combine mTLS with safe data handling. The first snippet shows a minimal Actix server configured for Mutual TLS using Rust’s native TLS acceptor. The server requires client certificates and presents its own certificate chain.

use actix_web::{web, App, HttpServer, Responder};
use actix_web::http::header::CONTENT_TYPE;
use actix_web::web::Json;
use serde::{Deserialize, Serialize};

#[derive(Deserialize, Serialize)]
struct UserFilter {
    username: String,
    role: String,
}

async fn filter_users(body: Json) -> impl Responder {
    // Safe: use structured data, avoid raw query building
    let filter_doc = bson::doc! {
        "username": &body.username,
        "role": &body.role,
    };
    // Assume collection.find(filter_doc) is used safely
    format!("Filtering for {} with role {}", body.username, body.role)
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .route("/users", web::post().to(filter_users))
    })
    .bind_openssl(
        "127.0.0.1:8443",
        {
            let mut builder = openssl::ssl::SslAcceptor::mozilla_intermediate(openssl::ssl::SslMethod::tls()).unwrap();
            builder.set_private_key_file("key.pem", openssl::ssl::SslFiletype::PEM).unwrap();
            builder.set_certificate_chain_file("cert.pem").unwrap();
            builder.set_client_ca_list_file("ca.pem", openssl::ssl::SslFiletype::PEM).unwrap();
            builder.set_verify(openssl::ssl::SslVerifyMode::PEER | openssl::ssl::SslVerifyMode::FAIL_IF_NO_PEER_CERT, 
                |_, _| true);
            builder.build()
        },
    )
    .unwrap()
    .run()
    .await
}

The second snippet emphasizes strict schema validation before using values in a database query. Instead of directly passing JSON into a filter, fields are checked against an allowlist, and operators are never interpreted from user input.

use actix_web::web::Json;
use serde::{Deserialize, Serialize};

#[derive(Deserialize, Serialize)]
struct SafeUserFilter {
    username: String,
    role: String,
}

fn build_safe_filter(filter: &SafeUserFilter) -> bson::Document {
    // Explicit construction, no operator injection possible
    bson::doc! {
        "username": filter.username,
        "role": filter.role,
    }
}

async fn safe_filter_users(body: Json) -> String {
    let doc = build_safe_filter(&body);
    // Use doc with a driver method that does not interpret operators
    format!("Safe query: {:?}", doc)
}

These examples show that mTLS secures the channel and client identity, but the application must still enforce schema constraints and avoid dynamic query assembly. middleBrick’s dashboard and CLI can be used to verify that endpoints reject unexpected fields and that runtime behavior does not expose operators in query construction.