Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.
In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.