Password Spraying in Axum with Api Keys

Password spraying is an authentication abuse technique where a small number of common passwords are tried against many accounts. When an API endpoint in Axum is protected only by static Api Keys and exposes account enumeration or timing differences, password spraying can be combined with Api Key misuse to amplify risk.

In Axum, handlers often validate a request by checking an Api Key header before inspecting a user credential. If the key is valid but the associated identity is inactive, suspended, or tied to a default password, an attacker can iterate passwords across multiple identities while each request returns a consistent 401 or 200 with different timing or error messages. This behavior enables an attacker to map valid identities and eventually guess weak passwords without triggering account lockout mechanisms that typically protect password-based flows.

Consider an endpoint that first authenticates via Api Key and then retrieves a user context from a database or configuration store. If the Api Key is leaked or shared broadly (for example, embedded in client-side code or logs), it effectively provides a reusable credential that bypasses normal login controls. The attacker can then perform password spraying against user-specific routes that rely on the identity derived from the key, testing passwords like Password1, Welcome2025, or Company@2024 across different usernames or subdomains. Because the attack originates from a legitimate key, standard rate-limiting tied to IPs may be insufficient if the key is considered trusted.

Real-world patterns observed in OWASP API Top 10 include broken object level authorization (BOLA) and excessive data exposure, which can intersect with password spraying when identity information is leaked through error messages or verbose responses. For example, a response that says "user not found" versus "invalid password" gives an attacker clear directional feedback. In Axum services that integrate identity frameworks or custom middleware, inconsistent handling of disabled accounts can further allow spraying to succeed against inactive users whose Api Keys remain valid due to misconfigured revocation logic.

An attacker using automated scripts can probe endpoints with rotated Api Keys obtained from insecure storage, public repositories, or supply-chain incidents. Each request may look legitimate from the server’s perspective, but the aggregate behavior reveals account validity and password reliability. Because Axum applications often rely on external authentication providers or databases, the backend may not enforce strict delays or lockout policies, enabling high-throughput spraying that is difficult to detect without specialized monitoring.

To detect this risk in practice, scanning an Axum API with middleBrick validates whether endpoints differentiate responses safely, whether rate limiting applies before identity resolution, and whether Api Key usage is monitored for unusual patterns. The tool checks for information leakage in error messages and evaluates whether authentication paths expose timing or status-code differences that facilitate password spraying.

Remediation focuses on removing reliance on static Api Keys for authorization, enforcing strict rate limits, and ensuring uniform response behavior. When Api Keys are necessary, they should be treated as high-privilege credentials and never used as the sole authentication factor for user-specific operations.

First, avoid using Api Keys to derive user identity for authorization checks. Instead, use the key strictly for service-to-service authentication and map it to a scoped role or policy that limits what actions can be performed. If user context is required, prompt for credentials after the key validation rather than inferring identity from the key alone.

Second, standardize responses for authentication failures. Return a consistent HTTP status code such as 401 with a generic body like {"error":"invalid_token"} regardless of whether the key is malformed, expired, or valid but insufficient. Avoid leaking information about username existence or password hints in headers or body.

Third, enforce global and per-key rate limits before performing any identity resolution. In Axum, this can be implemented using middleware that tracks request volume and applies throttling independent of authentication outcome.

Example: Secure Api Key validation with constant-time response in Axum

use axum::{http::StatusCode, response::IntoResponse, Json};
use serde::{Deserialize, Serialize};

#[derive(Deserialize)]
struct LoginAttempt {
    username: String,
    password: String,
}

#[derive(Serialize)]
struct ErrorResponse {
    error: String,
}

async fn login_handler(
    Json(payload): Json,
    axum::extract::State(config): axum::extract::State,
) -> impl IntoResponse {
    // Validate Api Key via middleware before reaching this handler
    // If key is invalid, middleware already returned a consistent 401

    // Always perform the same steps to prevent timing leaks
    let user = config.user_store.find_by_username(&payload.username).await;
    let valid_user = user.as_ref().map_or(false, |u| u.is_active);

    // Simulate password verification with constant-time comparison
    let password_valid = config
        .password_hasher
        .verify(&payload.password, user.as_ref().map(|u| &u.password_hash));

    // Constant-time branch: do not reveal which factor failed
    if valid_user && password_valid {
        (StatusCode::OK, Json(serde_json::json!({"token": "***"}))).into_response()
    } else {
        (StatusCode::UNAUTHORIZED, Json(ErrorResponse { error: "invalid_token".to_string() })).into_response()
    }
}

Fourth, rotate Api Keys regularly and store them securely using environment variables or a secrets manager. Do not embed keys in source code or configuration files that may be exposed. In Axum, load keys at startup and avoid runtime string comparisons that could be intercepted via logs.

Fifth, integrate middleBrick’s CLI to scan your endpoints and verify that authentication paths do not expose enumeration differences. Use middlebrick scan <url> to obtain a security risk score and prioritized findings. For teams managing many services, the Pro plan’s continuous monitoring and GitHub Action integration can fail builds if a new endpoint introduces non-uniform error handling or missing rate limiting around authentication.

Example: Middleware enforcing rate limits before authentication resolution

use axum::{async_trait, body::Body, extract::FromRequestParts, http::request::Parts, middleware, Response};
use std::{collections::HashMap, sync::Arc, time::{Duration, Instant}};

struct RateLimiter {
    limits: Arc>,
    state: Arc>>>,
}

impl RateLimiter {
    fn new() -> Self {
        Self {
            limits: Arc::new(HashMap::new()),
            state: Arc::new(std::sync::Mutex::new(HashMap::new())),
        }
    }
}

#[async_trait]
impl FromRequestParts for RateLimiter
where
    S: Send + Sync,
{
    type Rejection = Response;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result {
        let key = parts.headers.get("X-API-Key").and_then(|v| v.to_str().ok()).unwrap_or("unknown");
        let mut state = _state.mutex().unwrap();
        let timestamps = state.entry(key.to_string()).or_insert_with(Vec::new);
        let now = Instant::now();
        timestamps.retain(|t| now.duration_since(*t) < Duration::from_secs(60));
        if timestamps.len() > 100 {
            return Err(StatusCode::TOO_MANY_REQUESTS.into_response());
        }
        timestamps.push(now);
        Ok(RateLimiter { limits: Arc::clone(&limits), state })
    }
}

// Use in your router:
// let app = Router::new()
//     .route("/login", post(login_handler))
//     .layer(middleware::from_fn_with_state(db, |State(db), request, next| async move {
//         let _limiter = RateLimiter::from_request_parts(&mut request.parts(), &db).await?;
//         next.run(request).await
//     }));