Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simple Ways to Make Webhook Security Better

Scott McAllister
October 02, 2023
Technology
0
37

Simple Ways to Make Webhook Security Better

Webhooks are a simple and powerful way for services to notify each other that something interesting has happened. So much so that it became the most popular mechanism for communicating events. While webhooks give us power and flexibility, they rely heavily on the listener to enforce security. In this session, we will learn the most common, interesting, and challenging patterns across 100+ webhook implementations, and learn some simple ways to make webhook security better (for providers and consumers).

This talk was delivered at BASTA! Fall 2023 in Mainz, Germany.

Scott McAllister

October 02, 2023
Tweet

More Decks by Scott McAllister

See All by Scott McAllister
What the Heck is HTTP?
stmcallister
1
81
Modules, Loops and More: How to Scale with Terraform
stmcallister
0
55
Client-side OAuth with PKCE (Indy.code() 2022)
stmcallister
1
50
Building Ingress: From Concept to Connection (#JOTB23)
stmcallister
0
67
Node and OAuth on the Command Line -- Twin Cities Code Camp 2018
stmcallister
0
70

Other Decks in Technology

See All in Technology
実例で紹介するRAG導入時の知見と精度向上の勘所
yamahiro
5
1.6k
Cypress or Playwright?
rainerhahnekamp
0
170
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
110
成長をサポートするピープルマネジメントのやり方
sioncojp
8
1.1k
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
8
530
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
270
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
400
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
4
660
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
2
590
Max out Local LLM in Challenging Environments
sashimimochi
1
110
Handling focus in 2024
tahia910
0
220

Featured

See All Featured
Happy Clients
brianwarren
92
6.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
8
1.3k
[RailsConf 2023] Rails as a piece of cake
palkan
28
4k
Music & Morning Musume
bryan
41
5.6k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
245
20k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Producing Creativity
orderedlist
PRO
338
39k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
GraphQLとの向き合い方2022年版
quramy
33
12k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
33
6k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
The Invisible Customer
myddelton
114
12k

Transcript

  1. Simple Ways To Make Webhook Security Better Scott McAllister Principal

    Developer Advocate BASTA! Fall 2023

  2. Webhooks.fyi

  3. @stmcallister Requests Get out your phone or laptop Open POSTMAN,

    Insomnia, or curl (bonus points) Tweet at @ngrokHQ if I say something useful @ngrokHQ

  4. Webhooks Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ

  5. Webhooks Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ

  6. Webhooks Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ

  7. Why Webhooks Simple Protocol: HTTP Simple Payload: JSON…or XML Tech

    Stack Agnostic Share State Between Systems Super Easy to Spoof & Compromise Er…Super Easy to Test and Mock @stmcallister @ngrokHQ

  8. https://github.com/stmcallister/better-webhook-security/issues @stmcallister @ngrokHQ

  9. Webhooks Response Webhook Provider Webhook Listener Webhook Message SECURE??? @stmcallister

    @ngrokHQ

  10. Risks Interception Impersonation Modification/Manipulation Replay Attacks @stmcallister @ngrokHQ

  11. https://github.com/stmcallister/better-webhook-security/issues @stmcallister @ngrokHQ

  12. Use POSTMAN POST to https://hooks.ngrokpaperscissors.com @stmcallister @ngrokHQ

  13. One Time Verification @stmcallister @ngrokHQ

  14. @stmcallister @ngrokHQ https://smartsheet.redoc.ly/tag/webhooksDescription/#section/Creating-a-Webhook

  15. @stmcallister @ngrokHQ One Time Verification Complexity Pros Caveats Examples Medium

    Validates consumer controls destination Easily combined with other auth controls Additional implementation complexity Adobe Sign Microsoft OneDrive Okta Smartsheet

  16. Shared Secret @stmcallister @ngrokHQ

  17. Shared Secret Response Webhook Provider Webhook Listener Webhook Message @stmcallister

    @ngrokHQ Create Webhook Message Add Shared Secret Validate Shared Secret Process Webhook Call

  18. Shared Secret @stmcallister @ngrokHQ Complexity Pros Caveats Examples Very Low

    Authentication with Low Complexity No message integrity Requires HTTPS to keep credentials secret Datadog Docusign VMWare WorkspaceOne

  19. Hash-based Message Authentication (HMAC) @stmcallister @ngrokHQ

  20. HMAC Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ

    Create Webhook Message Generate signature hash of message body with shared secret Validate Signature Hash Process Webhook Call Generate signature hash of message body with shared secret

  21. HMAC @stmcallister @ngrokHQ Complexity Pros Caveats Examples Low Auth and

    Message Integrity with Low Complexity Secret keys not in webhook notification No confidentiality controls Complex signature payloads GitHub Shopify Slack Square Twilio

  22. Asymmetric Keys @stmcallister @ngrokHQ

  23. Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ Create

    Webhook Message Generate signature hash of message body with PRIVATE KEY Validate Signature Hash Process Webhook Call Generate signature hash of message body with PUBLIC KEY Asymmetric Keys

  24. @stmcallister @ngrokHQ Complexity Pros Caveats Examples High Extends HMAC with

    Non-Repudiation Added deployment complexity (compared to HMAC) Added complexity issuing, renewing, rotating keys Performance concerns SendGrid PayPal Keygen Asymmetric Keys

  25. Mutual TLS Authentication (mTLS) @stmcallister @ngrokHQ

  26. Mutual TLS Response Webhook Provider Webhook Listener Webhook Message @stmcallister

    @ngrokHQ Create Webhook Message Generate signature hash of message body with shared secret Validate Signature Hash Process Webhook Call Generate signature hash of message body with shared secret Initiate mTLS handshake

  27. @stmcallister @ngrokHQ Complexity Pros Caveats Examples Very High Message Confidentiality

    Non-Repudiation Highly Complex Added complexity issuing, renewing, rotating keys Adobe Sign DocuSign PagerDuty Mutual TLS

  28. Dataless Notifications @stmcallister @ngrokHQ

  29. Dataless Notifications @stmcallister @ngrokHQ

  30. @stmcallister @ngrokHQ Complexity Pros Caveats Examples High Notifications without data

    Reduces security requirements Reduce request traffic Consumer make multiple requests Consumer needs API keys Provider API Performance Microsoft OneNote Smartsheet Dataless Notifications

  31. Replay Prevention @stmcallister @ngrokHQ

  32. Replay Prevention @stmcallister @ngrokHQ Concatenates timestamp to payload Signs concatenated

    value Sends encoded signature & timestamp

  33. @stmcallister @ngrokHQ Complexity Pros Caveats Examples Medium Mitigates replay with

    added signed timestamp Provider and Consumer need clocks relatively synced Time format alignment Calendly Slack PayPal Replay Prevention

  34. // TODO for Providers @stmcallister @ngrokHQ

  35. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok https @ngrokHQ @stmcallister

  36. Document ALL THE THINGS @stmcallister @ngrokHQ

  37. Document ALL THE THINGS @stmcallister @ngrokHQ Show Payloads Demonstrate Verification

    Show End-to-End Process

  38. © ngrok. All rights reserved. Confidential Information of ngrok Secure

    Your Payload None / Not Found Shared Secret HMAC RSA / ECDSA JWT / JWK / OAuth mTLS 0 15 30 45 60 16% 8% 65% 5% 3% 3% @ngrokHQ @stmcallister

  39. // TODO for Consumers @stmcallister @ngrokHQ

  40. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok https @ngrokHQ @stmcallister

  41. What We’re Actually Doing Response Webhook Provider Webhook Listener Webhook

    Message @stmcallister @ngrokHQ

  42. What We Should Be Doing Response Webhook Provider Webhook Listener

    Webhook Message @stmcallister @ngrokHQ Create Webhook Message Add Shared Secret Validate Shared Secret Process Webhook Call

  43. https://github.com/stmcallister/better-webhook-security/issues @stmcallister @ngrokHQ

  44. Use POSTMAN POST to https://hooks.ngrokpaperscissors.com @stmcallister @ngrokHQ

  45. Webhooks.fyi

  46. Scott McAllister Speaker, Writer, Coder @stmcallister stmcallister.github.io @stmcallister.bsky.social techhub.social/@stmcallister

  47. Thank you

  48. None