GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Quarkus

Webhooks are essentially unauthenticated entry points if you don't validate the source. In Quarkus, failing to verify HMAC signatures allows attackers to spoof payloads, execute unauthorized actions, or trigger internal state changes. If you aren't verifying the signature, you're running an open proxy for your logic.

The Vulnerable Pattern

@Path("/webhooks")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class InsecureWebhookResource {
    @POST
    @Path("/stripe")
    public Response handleStripeEvent(String jsonPayload) {
        // CRITICAL VULNERABILITY: No signature verification.
        // Anyone can POST a fake 'payment_succeeded' event.
        JsonObject event = new JsonObject(jsonPayload);
        processOrder(event.getString("id"));
        return Response.ok().build();
    }
}

The Secure Implementation

The secure implementation enforces HMAC-SHA256 verification. It extracts the signature from the headers and re-calculates the hash using a shared secret stored in the application configuration. Crucially, it uses MessageDigest.isEqual() for the comparison; this provides a constant-time check that mitigates side-channel timing attacks which could otherwise be used to leak the valid signature byte-by-byte.

@Path("/webhooks")
public class SecureWebhookResource {
    @ConfigProperty(name = "webhook.secret")
    String webhookSecret;

@POST
@Path("/stripe")
public Response handleStripeEvent(@HeaderParam("X-Hub-Signature-256") String signature, String payload) throws Exception {
    if (signature == null || !isValidSignature(payload, signature)) {
        return Response.status(Response.Status.UNAUTHORIZED).build();
    }
    processOrder(new JsonObject(payload).getString("id"));
    return Response.ok().build();
}

private boolean isValidSignature(String payload, String signature) throws Exception {
    Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
    SecretKeySpec secret_key = new SecretKeySpec(webhookSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
    sha256_HMAC.init(secret_key);
    byte[] hash = sha256_HMAC.doFinal(payload.getBytes(StandardCharsets.UTF_8));
    String expectedSignature = Hex.encodeHexString(hash);
    // Use MessageDigest.isEqual to prevent timing attacks
    return MessageDigest.isEqual(expectedSignature.getBytes(), signature.getBytes());
}


}

System Alert • ID: 9849
Target: Quarkus API
Potential Vulnerability

Your Quarkus API might be exposed to Insecure Webhooks

74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X