Deserialization Attack in Actix (Rust)
Deserialization Attack in Actix with Rust — how this specific combination creates or exposes the vulnerability
A deserialization attack in an Actix web service written in Rust typically occurs when an endpoint accepts structured payloads (for example JSON or form data) and reconstructs objects from them without strict validation or type constraints. Actix web handlers often deserialize using serde_json::from_slice or similar mechanisms; if the handler trusts the incoming bytes fully, an attacker can supply crafted payloads that trigger unexpected behavior such as type confusion, resource exhaustion, or injection through nested or unexpected fields. The risk is not in Actix itself but in how developers integrate deserialization logic while handling unauthenticated input in a black-box scan context.
Consider an Actix endpoint that binds a complex struct directly from a JSON body:
#[derive(serde::Deserialize)]
struct UserUpdate {
username: String,
is_admin: bool,
preferences: serde_json::Value,
}
async fn update_user(body: web::Json<UserUpdate>) -> impl Responder {
// process update
HttpResponse::Ok().body("ok")
}
If preferences contains deeply nested structures or large arrays, deserialization can consume significant CPU and memory, enabling denial-of-service via resource exhaustion. Moreover, if the application later uses fields from the deserialized object in security-sensitive contexts (e.g., building queries or composing file paths), type confusion or injection may occur. For example, an attacker might send a JSON where is_admin is a string, relying on permissive deserialization settings to bypass expected type checks. In a black-box scan, middleBrick tests such unauthenticated attack surfaces by submitting inputs that probe for missing validation, excessive nesting, and unexpected type coercion.
Additionally, Actix applications that dynamically compose responses using deserialized data can inadvertently expose sensitive fields or enable injection into downstream systems. An attacker may provide a payload with crafted keys or values that, when reflected or stored, lead to information disclosure or command injection depending on how the server uses the data. The presence of serde_json::Value increases risk because it defers schema enforcement to runtime, which can be abused if the application does not validate content and structure explicitly. middleBrick’s checks for Input Validation and Data Exposure highlight these concerns by testing whether endpoints enforce strict schemas and whether sensitive data can be coaxed out through malformed payloads.
SSRF and external interaction risks can also emerge if deserialized data is used to construct URLs or network requests. For instance, if a field like webhook_url is taken directly from user-controlled JSON and later used to make an HTTP call, an attacker can supply internal endpoints or malicious domains, leading to SSRF. Actix does not prevent this by default; it is the developer’s responsibility to validate and restrict destinations. middleBrick tests SSRF by injecting typical internal IPs and domain variants to see if outbound connections are attempted or if responses reveal internal network details.
Finally, insecure default configurations around content types and size limits can exacerbate deserialization issues. If an Actix service accepts multiple content types without strict enforcement, an attacker might upload form data where JSON is expected, bypassing assumptions in the handler. Similarly, missing limits on payload size allow large payloads to burden parsers. middleBrick evaluates Rate Limiting and checks for missing size constraints as part of its unauthenticated scan, ensuring that endpoints reject abnormally large or malformed payloads before deserialization proceeds.
Rust-Specific Remediation in Actix — concrete code fixes
Rust’s type system and the serde ecosystem provide several mechanisms to reduce deserialization risk in Actix handlers. The primary approach is to enforce strict schemas, reject unknown fields, and avoid permissive types like serde_json::Value unless followed by explicit validation. Below are concrete, idiomatic fixes and code examples aligned with Actix patterns.
1) Use #[serde(deny_unknown_fields)] and explicit structs
Define your data structures with deny_unknown_fields to ensure any extra keys in the JSON cause a deserialization error rather than being silently ignored. Combine this with sized limits on strings and collections where possible.
#[derive(serde::Deserialize)]
#[serde(deny_unknown_fields)]
struct UserUpdate {
username: Username,
is_admin: bool,
preferences: Preferences,
}
#[derive(serde::Deserialize)]
#[serde(deny_unknown_fields)]
struct Preferences {
theme: String,
notifications_enabled: bool,
}
// Custom newtype to enforce length limits
struct Username(String);
impl<'de> serde::Deserialize<'de> for Username {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: serde::Deserializer<'de>,
{
let s = String::deserialize(deserializer)?;
if s.len() > 64 {
return Err(serde::de::Error::invalid_length(s.len(), &"username <= 64"));
}
// further validation can go here
Ok(Username(s))
}
}
This ensures the payload matches the expected shape and prevents attackers from injecting unexpected keys that could alter behavior.
2) Avoid serde_json::Value or validate it immediately
If you must accept flexible JSON, parse into Value and validate recursively before using. Do not pass raw Value to business logic without checks.
use serde_json::Value;
fn validate_preferences(value: &Value) -> bool {
match value {
Value::Object(map) => {
map.get("theme").and_then(Value::as_str).is_some()
&& map.get("notifications_enabled").and_then(Value::as_bool).is_some()
}
_ => false,
}
}
async fn update_user(body: web::Json<Value>) -> impl Responder {
if !validate_preferences(&body["preferences"]) {
return HttpResponse::BadRequest().body("invalid preferences");
}
// safe to use known structure
HttpResponse::Ok().body("ok")
}
3) Limit payload size at the Actix level
Configure payload limits to prevent resource exhaustion attacks. This is done when configuring the Actix server or the specific service, ensuring that oversized payloads are rejected before deserialization begins.
use actix_web::web::PayloadConfig;
use actix_web::{App, HttpServer};
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.app_data(PayloadConfig::new(256 * 1024)) // 256 KiB limit
.route("/update", web::post().to(update_user))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
4) Validate and sanitize before use
Never use deserialized values directly in sensitive operations. For example, if a field is used to construct a database query, use parameterized queries rather than string interpolation. If it is used in file operations, sanitize path separators and disallow absolute paths.
async fn update_user(body: web::Json<UserUpdate>) -> impl Responder {
let user = &body.username;
// Use a parameterized query instead of string concatenation
let query = "UPDATE users SET username = $1 WHERE id = $2";
// db_client.execute(query, &[&user.0, &body.user_id]).await;
HttpResponse::Ok().body("ok")
}
5) Content-type strictness and safe defaults
Ensure the handler only accepts the expected content type and does not fall back to lenient parsing. In Actix you can enforce this with a guard or by inspecting the header before deserializing.
async fn update_user(
body: web::Json<UserUpdate>,
req: HttpRequest,
) -> impl Responder {
if req.headers().get("Content-Type").and_then(|v| v.to_str().ok()) != Some("application/json") {
return HttpResponse::UnsupportedMediaType().body("content-type must be application/json");
}
// process validated body
HttpResponse::Ok().body("ok")
}
By combining strict schemas, size limits, content-type enforcement, and runtime validation of flexible fields, Rust applications in Actix can mitigate deserialization risks effectively while preserving performance and type safety.