Request Smuggling in Actix with Bearer Tokens
Request Smuggling in Actix with Bearer Tokens — how this specific combination creates or exposes the vulnerability
Request smuggling occurs when an intermediary (such as a load balancer or reverse proxy) and an origin server interpret the boundaries of an HTTP request differently. In Actix applications that rely on Bearer Tokens for authorization, smuggling can expose protected endpoints or cause authorization mismatches if requests are parsed inconsistently. This specific combination is risky because the presence of authentication tokens often drives authorization decisions after the request has been forwarded, and smuggling can allow an attacker to manipulate which request the server processes as authenticated.
Actix-web is an asynchronous Rust framework. When you configure Actix to require Bearer Tokens—typically via an extractor that inspects the Authorization header—authorization is applied to the request as Actix sees it. If a fronting proxy uses different buffering or chunked transfer parsing than Actix, a request that appears valid to the proxy can be interpreted differently by Actix. For example, a smuggled request might move the Authorization header to a secondary request that lacks valid credentials, or it might cause the header to be applied to a different route than intended. Because Actix validates Bearer Tokens per-request, a smuggled request could execute with higher privileges or bypass intended authentication checks, leading to BOLA/IDOR or unauthorized access.
Consider an API that accepts both unauthenticated public endpoints and authenticated routes guarded by Bearer Token extraction. If an attacker can smuggle a request so that a single TCP stream is parsed as two requests by the server, they may be able to inject an authenticated request where none was intended. Real-world patterns include mismatched handling of Content-Length versus Transfer-Encoding, especially when requests include a body and custom headers like Authorization. In such cases, the first request might be public, while the second—smuggled—carries a Bearer Token and accesses private data or performs privileged actions. This undermines the protection that Bearer Tokens provide and can map to OWASP API Top 10 A01: Broken Object Level Authorization when the boundary confusion leads to IDOR.
An example of a vulnerable Actix configuration is one where token extraction is performed via a middleware or guard that inspects headers late in the pipeline, after routing has been partially decided. If a front-end normalizes headers differently (for example, lowercasing or collapsing Authorization), while Actix preserves them, smuggling can redirect a token to an unintended handler. Attackers can chain this with known request smuggling techniques—such as using carefully crafted Content-Length and Transfer-Encoding headers—to test unauthenticated attack surfaces and observe whether Bearer Token validation is consistently enforced across both the proxy and the application.
To detect this risk, scanning should include unauthenticated probes that send ambiguous or malformed framing headers alongside Authorization. The scan checks whether the server treats these requests consistently and whether the Bearer Token is applied to the correct logical request. Findings typically highlight inconsistencies in how headers are interpreted, which can then be correlated with the API specification to see whether routes intended to be public are mistakenly protected—or left open—due to smuggling-induced authorization confusion.
Bearer Tokens-Specific Remediation in Actix — concrete code fixes
Remediation focuses on ensuring consistent parsing of requests and strict validation of Bearer Tokens before any authorization-sensitive operation. You should enforce a single, canonical way to represent requests internally and validate tokens early. Below are concrete Actix code examples that demonstrate secure handling of Bearer Tokens.
Example 1: Secure Bearer Token extraction as an extractor
Define a custom extractor that validates the Authorization header and fails the request if the token is malformed or missing. This ensures every route that requires authentication explicitly receives a verified token.
use actix_web::{dev::ServiceRequest, error::ErrorUnauthorized, web, HttpRequest, HttpResponse, Error};
use actix_web::http::header::HeaderValue;
use futures_util::future::{ok, Ready};
use std::task::{Context, Poll};
use actix_web::dev::Transform;
use std::pin::Pin;
pub struct AuthenticatedRequest {
pub user_id: String,
}
pub struct BearerTokenExtractor {
token: String,
}
impl BearerTokenExtractor {
pub fn new(token: String) -> Self {
Self { token }
}
}
// Simplified extractor implementation
impl actix_web::FromRequest for BearerTokenExtractor {
type Config = ();
type Result = Result;
fn from_request(req: &HttpRequest, _: &mut actix_web::dev::Payload) -> Self::Result {
let headers = req.headers();
let auth = headers.get("Authorization")
.ok_or_else(|| ErrorUnauthorized("missing authorization header"))?;
let header_value = auth.to_str().map_err(|_| ErrorUnauthorized("invalid header"))?;
if !header_value.starts_with("Bearer ") {
return Err(ErrorUnauthorized("invalid authorization scheme"));
}
let token = header_value[7..].trim().to_string();
if token.is_empty() {
return Err(ErrorUnauthorized("token is empty"));
}
// Here you can add additional validation, e.g., verify token against a JWKS or introspection endpoint
Ok(BearerTokenExtractor { token })
}
}
// Middleware to enforce consistent host and header normalization
pub struct RequestNormalization;
impl Transform for RequestNormalization
where
S: actix_web::dev::Service, Error = Error>,
S::Future: 'static,
B: 'static,
{
type Response = actix_web::dev::ServiceResponse;
type Error = Error;
type InitError = ();
type Transform = RequestNormalizationMiddleware;
type Future = Ready>;
fn new_transform(&self, service: S) -> Self::Future {
ok(RequestNormalizationMiddleware { service })
}
}
pub struct RequestNormalizationMiddleware {
service: S,
}
impl actix_web::dev::Service for RequestNormalizationMiddleware
where
S: actix_web::dev::Service, Error = Error>,
S::Future: 'static,
B: 'static,
{
type Response = actix_web::dev::ServiceResponse;
type Error = Error;
type Future = std::pin::Pin>>>;
fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll> {
self.service.poll_ready(cx)
}
fn call(&mut self, req: ServiceRequest) -> Self::Future {
// Normalize headers: ensure Authorization is treated as case-insensitive by the framework
// and avoid duplicate headers that could enable smuggling.
let headers = req.headers_mut();
// Example: remove any non-standard duplicates
if let Some(auth) = headers.get_all("Authorization").iter().skip(1).next() {
headers.remove("Authorization");
headers.insert("Authorization", auth.clone());
}
let fut = self.service.call(req);
Box::pin(async move {
let res = fut.await?;
Ok(res)
})
}
}
// Usage in Actix app
async fn protected_route(token: BearerTokenExtractor) -> HttpResponse {
HttpResponse::Ok().body(format!("Authenticated as: {}", token.token))
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
use actix_web::{App, HttpServer, middleware::Logger};
HttpServer::new(|| {
App::new()
.wrap(Logger::default())
.wrap(RequestNormalization)
.route("/secure", actix_web::web::get().to(protected_route))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
Example 2: Enforce HTTPS and strict header handling in Actix middleware
Ensure all requests use HTTPS and that the Authorization header is not duplicated or altered by intermediaries. The following snippet shows how to reject requests that do not use secure transport and to enforce a single canonical Authorization header.
use actix_web::{dev::ServiceRequest, error::ErrorForbidden, web, HttpRequest, HttpResponse, Error};
use actix_web::dev::Transform;
use std::future::{ready, Ready};
pub struct HttpsAndBearerOnly;
impl Transform for HttpsAndBearerOnly
where
S: actix_web::dev::Service, Error = Error>,
S::Future: 'static,
B: 'static,
{
type Response = actix_web::dev::ServiceResponse;
type Error = Error;
type InitError = ();
type Transform = HttpsAndBearerOnlyMiddleware;
type Future = Ready>;
fn new_transform(&self, service: S) -> Self::Future {
ready(Ok(HttpsAndBearerOnlyMiddleware { service }))
}
}
pub struct HttpsAndBearerOnlyMiddleware {
service: S,
}
impl actix_web::dev::Service for HttpsAndBearerOnlyMiddleware
where
S: actix_web::dev::Service, Error = Error>,
S::Future: 'static,
B: 'static,
{
type Response = actix_web::dev::ServiceResponse;
type Error = Error;
type Future = std::pin::Pin>>>;
fn poll_ready(&mut self, cx: &mut std::task::Context<'_>) -> std::task::Poll> {
self.service.poll_ready(cx)
}
fn call(&mut self, req: ServiceRequest) -> Self::Future {
let conn = req.connection_info().clone();
// Enforce HTTPS
if conn.scheme() != "https" {
return Box::pin(async { Err(ErrorForbidden("require HTTPS")) });
}
// Ensure exactly one Authorization header and correct scheme
let headers = req.headers();
let auth_values: Vec<_> = headers.get_all("Authorization").iter().collect();
if auth_values.len() != 1 {
return Box::pin(async { Err(ErrorForbidden("invalid authorization header count")) });
}
let auth = auth_values[0].to_str().unwrap_or("");
if !auth.starts_with("Bearer ") || auth[7..].trim().is_empty() {
return Box::pin(async { Err(ErrorForbidden("invalid bearer token") }));
}
let fut = self.service.call(req);
Box::pin(async move {
let res = fut.await?;
Ok(res)
})
}
}
Front-end and infrastructure guidance
On the infrastructure side, ensure your load balancer or API gateway normalizes headers consistently and does not strip or duplicate the Authorization header. Configure your proxy to use a single canonical form for requests before forwarding them to Actix. Avoid configurations that allow both HTTP and HTTPS for the same route unless you enforce redirects to HTTPS. These measures reduce the risk that request boundaries are interpreted differently between layers, which is the root cause of request smuggling when Bearer Tokens are involved.