Arp Spoofing in Phoenix with Api Keys

Arp spoofing is a Layer 2 attack where an attacker sends falsified Address Resolution Protocol messages onto a local network to associate their MAC address with the IP address of a legitimate host, such as an API gateway or backend service in Phoenix. When this attack occurs in an environment that relies on API keys for authorization, the security implications are significant. API keys are typically transmitted in HTTP headers and are assumed to be safe if sent over HTTPS; however, arp spoofing can facilitate man-in-the-middle (MITM) positioning on the local network, allowing an attacker to observe or intercept traffic before it reaches the TLS layer.

In Phoenix deployments, services often communicate over HTTP/REST endpoints protected only by static API keys. If an attacker successfully spoofs ARP replies between a client and the API endpoint, the client may unknowingly send requests—including API key credentials—to the attacker’s machine. Because the attacker is on the same broadcast domain (for example, a shared VLAN or compromised host on the same subnet), they can capture these headers and harvest keys. Even if the API endpoint itself uses HTTPS, the attacker can still act as a proxy: the client sends traffic to the attacker (due to the spoofed ARP), and the attacker forwards it to the legitimate server, maintaining the TLS session while observing or modifying payloads. This exposes API keys in memory or logs if the client or server mishandles them, and can enable replay or injection attacks using the stolen keys.

The combination is particularly dangerous in cloud or containerized Phoenix environments where service discovery and dynamic networking can blur trust boundaries. An attacker who gains a foothold on one container or host can launch arp spoofing to pivot across services that rely on API keys for authentication but lack additional context-aware protections, such as mutual TLS or short-lived tokens. Because API keys are often long-lived and embedded in configuration or code, intercepted keys can lead to extended unauthorized access. MiddleBrick scans help detect unauthenticated endpoints and unusual patterns that could indicate an exposed attack surface, including services missing transport-layer protections or those susceptible to SSRF-assisted network attacks.

To mitigate arp spoofing risks when using API keys in Phoenix, shift from static header-based credentials to short-lived, context-bound tokens and enforce strict transport security. Below are concrete, realistic code examples using common Phoenix and Elixir patterns.

1. Enforce HTTPS and HTTP Strict Transport Security (HSTS)

Ensure all API endpoints are served exclusively over HTTPS and include HSTS headers to prevent downgrade attacks. In Phoenix, this is configured in the endpoint module:

defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  if config_env() == :prod do
    # Force HTTPS
    plug Plug.SSL,
      rewrite_on: [:x_forwarded_proto],
      host: true

    # Enable HSTS (max-age in seconds)
    plug Plug.HTTPS, hsts: true
  end

  # ... other plugs
end

2. Rotate and Scope API Keys via Plug

Instead of using a single static API key, implement a per-request validation plug that checks keys against a short validity window or scoped permissions. This example demonstrates a simple key validation plug that also logs anomalies:

defmodule MyAppWeb.ApiKeyAuth do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    case get_req_header(conn, "x-api-key") do
      [key] when key == System.get_env("EXPECTED_API_KEY") ->
        # Optionally validate key metadata from a cache or DB
        assign(conn, :api_key_valid, true)

      _ ->
        conn
        |> put_status(:unauthorized)
        |> json(%{error: "invalid_api_key"})
        |> halt()
    end
  end
end

Use this plug in your router or pipeline, and rotate keys via environment variables or a secrets manager. For production, prefer keys that are tied to specific IP ranges or VPC endpoints and rotate them frequently.

3. Add Request Signing with HMAC (Better than plain keys)

For higher assurance, replace static API keys with signed requests. The client generates a signature using a shared secret and includes it in headers; the server verifies the signature. Example client (HTTP client) and server verification in Phoenix:

# Client side (request generation)
secret = System.get_env("SHARED_SECRET")
nonce = System.unique_integer([:positive])
timestamp = DateTime.utc_now() |> DateTime.to_iso8601()
payload = "GET\n/api/data\n#{timestamp}\n#{nonce}"
signature = :crypto.hash(:sha256, secret, payload) |> Base.encode16()

headers = [
  {"x-timestamp", timestamp},
  {"x-nonce", nonce},
  {"x-signature", signature}
]

# Server side verification plug
  def call(conn, _opts) do
    with [timestamp] <- get_req_header(conn, "x-timestamp"),
         [nonce] <- get_req_header(conn, "x-nonce"),
         [signature] <- get_req_header(conn, "x-signature"),
         true <- valid_timestamp?(timestamp), # reject old requests
         expected = compute_signature(secret, conn.method, conn.request_path, timestamp, nonce),
         true <- timing_safe_compare(expected, signature) do
      assign(conn, :request_authenticated, true)
    else
      _ ->
        conn |> put_status(:unauthorized) |> json(%{error: "invalid_signature"}) |> halt()
    end
  end

This approach limits exposure even if a key is intercepted, because signatures are tied to the request method, path, timestamp, and nonce. Combined with rate limiting and network segmentation, it reduces the impact of arp spoofing.