Rainbow Table Attack in Axum
How Rainbow Table Attack Manifests in Axum
In an Axum service, a rainbow table attack becomes possible when password verification relies on a fast, unsalted hash function such as SHA‑256 or MD5. Because Axum handlers are plain Rust functions, the vulnerability often appears directly in the request‑processing code where the incoming credential is compared against a stored digest.
use axum::extract::Json;
use axum::response::IntoResponse;
use axum::routing::post;
use axum::Router;
use serac::Deserialize;
use sha2::{Sha256, Digest};
#[derive(Deserialize)]
struct LoginPayload {
username: String,
password: String,
}
async fn login(Json(payload): Json) -> impl IntoResponse {
// ❌ Vulnerable: unsalted SHA‑256, no work factor
let mut hasher = Sha256::new();
hasher.update(&payload.password);
let input_hash = format!("{:x}", hasher.finalize());
// Imagine this comes from a database
let stored_hash = "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"; // hash of "password"
if input_hash == stored_hash {
"Access granted"
} else {
(axum::http::StatusCode::UNAUTHORIZED, "Invalid credentials")
}
}
let app = Router::new().route("/login", post(login));
The code above shows a typical Axum login endpoint that hashes the supplied password with SHA‑256 and compares it to a stored hash. Because the hash is unsalted and computationally cheap, an attacker who obtains the hash database can pre‑compute a rainbow table for common passwords and reverse the hash instantly. This pattern is common in Axum projects that implement custom authentication helpers or rely on low‑level crates without integrating a proper password‑hashing library.
Axum-Specific Detection
middleBrick’s unauthenticated black‑box scan will flag this issue under the "Data Exposure" and "Authentication" categories. The scanner sends a series of login attempts with common passwords and measures response timing; if the endpoint returns success for weak passwords without rate‑limiting or lockout, it raises a finding. Additionally, middleBrick inspects any exposed OpenAPI/Swagger spec and notes the use of a plain string field for passwords without a format: password hint or any indication of hashing.
You can run the check locally with the middleBrick CLI:
Axum-Specific Remediation
The fix is to replace the ad‑hoc SHA‑256 hash with a purpose‑built password‑hashing function that incorporates a per‑user salt and a configurable work factor. In the Rust ecosystem, the argon2 and bcrypt crates are the most common choices. Below is the same login endpoint rewritten to use Argon2id via the argon2 crate.
Frequently Asked Questions
Does middleBrick need any agents or credentials to detect a rainbow table vulnerability in my Axum API?
No. middleBrick performs an unauthenticated, black‑box scan by simply submitting the target URL; it requires no agents, configuration, or credentials.Can I enforce a minimum security score for my Axum service in a GitHub Actions workflow using middleBrick?
Yes. The middleBrick GitHub Action lets you specify a fail‑below threshold (e.g., fail-below: B) so the workflow will fail if the scan returns a score lower than that level.