Dictionary Attack in Fastapi with Cockroachdb

A dictionary attack against a Fastapi service backed by Cockroachdb typically exploits weak authentication endpoints where usernames or emails are verified via SQL queries before password checks. If the login route performs a lookup such as SELECT * FROM users WHERE email = $1 without constant-time comparison, an attacker can use timing differences to infer valid accounts. Cockroachdb, while strongly consistent and resilient to node failures, does not inherently prevent timing-based side channels introduced by application logic. When Fastapi endpoints are rate-limited only per IP rather than per user or globally, attackers can iterate through common passwords at high speed, making authentication brute-force feasible.

The combination amplifies risk when session management is weak. After a successful dictionary-based credential guess, Fastapi may issue a JWT or session cookie without enforcing multi-factor authentication or suspicious geo-location checks. Cockroachdb stores these session records; if session tokens are predictable or not properly invalidated on logout, attackers can reuse captured tokens. Moreover, if error messages differ between "user not found" and "invalid password," the database indirectly leaks existence of accounts, aiding iterative guessing. Unauthenticated attack surface, such as open health checks or debug endpoints, can also expose login routes that directly query Cockroachdb without additional safeguards.

OpenAPI specifications exposed by Fastapi can inadvertently reveal login paths and parameter names, giving attackers a roadmap for crafting dictionary payloads. middleBrick scans this surface, testing authentication mechanisms and checking for BOLA/IDOR patterns where predictable identifiers allow horizontal privilege escalation across user accounts stored in Cockroachdb. The scanner runs 12 parallel checks, including authentication, input validation, rate limiting, and unsafe consumption, to detect whether login endpoints are vulnerable to credential spraying or token replay. Findings highlight whether error handling, token rotation, and query structure align with secure patterns, referencing real attack vectors like OWASP API Top 10:2023 – Broken Authentication and relevant guidance for mitigation.

Remediation focuses on consistent response times, strict rate limiting, and secure session handling. Use constant-time comparison for credentials and avoid branching on sensitive data. Below is a Fastapi example that safely authenticates against Cockroachdb using hashed passwords and generic error messages, integrated with a sliding window rate limit to deter high-volume dictionary attempts.

from fastapi import Fastapi, HTTPException, Depends, status
from pydantic import BaseModel
import hashlib, hmac, time
import asyncpg

app = Fastapi()

# Simple rate-limit store (use Redis or Cockroachdb for distributed setups)
login_attempts = {}

def verify_password(plain: str, hashed: bytes) -> bool:
    return hmac.compare_digest(hashlib.sha256(plain.encode()).digest(), hashed)

async def get_user_by_email(email: str) -> dict | None:
    conn = await asyncpg.connect(
        host='cockroachdb-host',
        port=26257,
        user='root',
        database='appdb',
        password='strongpassword'
    )
    try:
        row = await conn.fetchrow('SELECT id, email, password_hash FROM users WHERE email = $1', email)
        return dict(row) if row else None
    finally:
        await conn.close()

@app.post('/login')
async def login(payload: dict):
    email = payload.get('email', '').strip().lower()
    password = payload.get('password', '')
    # Rate limit per email to prevent targeted spraying
    key = f'login:{email}'
    now = time.time()
    attempts = login_attempts.get(key, [])
    attempts = [t for t in attempts if now - t < 60]  # 1-minute window
    if len(attempts) >= 10:
        raise HTTPException(status_code=429, detail='Too many attempts')
    user = await get_user_by_email(email)
    # Constant-time check with dummy hash if user not found
    dummy_hash = hashlib.sha256(b'dummy').digest()
    stored = user['password_hash'] if user else dummy_hash
    if not verify_password(password, stored):
        login_attempts.setdefault(key, []).append(now)
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail='Invalid credentials')
    login_attempts[key] = []  # reset on success
    return {'token': 'secure-jwt-here'}

On the Cockroachdb side, ensure that the users table uses a secure hash such as bcrypt or argon2 and that columns storing secrets are encrypted at rest. Enforce unique constraints on email to prevent duplicates that could be leveraged for enumeration. middleBrick’s CLI can be invoked as middlebrick scan <url> to verify that login endpoints do not leak timing information or expose stack traces. For teams needing automated oversight, the Pro plan’s continuous monitoring and GitHub Action integration can enforce a maximum risk score in CI/CD pipelines, while the Web Dashboard provides per-category breakdowns to track improvements over time.

Additionally, align error handling with secure coding standards: return the same HTTP status code and generic message for both missing users and incorrect passwords. Log failed attempts server-side without exposing details to the client. If using JWTs, set short expiration, rotate signing keys periodically, and store tokens in httpOnly, Secure cookies where possible. These measures reduce the effectiveness of dictionary attacks and ensure that even if an attacker enumerates valid accounts, the impact is limited.