Quarkus WebAuthn Module Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the Quarkus WebAuthn module, specifically in versions prior to 2.16.0. This vulnerability arises because the module's default REST endpoints for user registration and login remain accessible even when developers create custom endpoints. As a result, attackers could potentially exploit this to obtain a login cookie that does not correspond to any user in the Quarkus application. Depending on the application's implementation, the cookie could instead relate to an existing user, allowing unauthorized access by simply knowing the user's name.

Impact

Exploitation of this vulnerability allows for unauthorized login as an existing user, or potentially as a non-existent user, depending on the application's user management implementation.

Reproduction

To reproduce this vulnerability, a Quarkus application must be created using a version prior to 2.16.0 and must include the WebAuthn module. The default login and registration endpoints should be left active while custom endpoints are created. Once this setup is complete, a POST request can be sent to the default WebAuthn callback endpoint with a WebAuthn login or registration payload. This will result in the application issuing a login cookie that can be used to authenticate as the specified user.

Remediation

Developers can mitigate this vulnerability by disabling the default WebAuthn endpoints after creating custom ones. This can be done by intercepting the default callback route and responding with a 404 error.