Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simple Ways to Make Webhook Security Better

Simple Ways to Make Webhook Security Better

Webhooks are a simple and powerful way for services to notify each other that something interesting has happened. So much so that it became the most popular mechanism for communicating events. While webhooks give us power and flexibility, they rely heavily on the listener to enforce security. In this session, we will learn the most common, interesting, and challenging patterns across 100+ webhook implementations, and learn some simple ways to make webhook security better (for providers and consumers).

This talk was delivered at BASTA! Fall 2023 in Mainz, Germany.

Scott McAllister

October 02, 2023
Tweet

More Decks by Scott McAllister

Other Decks in Technology

Transcript

  1. @stmcallister Requests Get out your phone or laptop Open POSTMAN,

    Insomnia, or curl (bonus points) Tweet at @ngrokHQ if I say something useful @ngrokHQ
  2. Why Webhooks Simple Protocol: HTTP Simple Payload: JSON…or XML Tech

    Stack Agnostic Share State Between Systems Super Easy to Spoof & Compromise Er…Super Easy to Test and Mock @stmcallister @ngrokHQ
  3. @stmcallister @ngrokHQ One Time Verification Complexity Pros Caveats Examples Medium

    Validates consumer controls destination Easily combined with other auth controls Additional implementation complexity Adobe Sign Microsoft OneDrive Okta Smartsheet
  4. Shared Secret Response Webhook Provider Webhook Listener Webhook Message @stmcallister

    @ngrokHQ Create Webhook Message Add Shared Secret Validate Shared Secret Process Webhook Call
  5. Shared Secret @stmcallister @ngrokHQ Complexity Pros Caveats Examples Very Low

    Authentication with Low Complexity No message integrity Requires HTTPS to keep credentials secret Datadog Docusign VMWare WorkspaceOne
  6. HMAC Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ

    Create Webhook Message Generate signature hash of message body with shared secret Validate Signature Hash Process Webhook Call Generate signature hash of message body with shared secret
  7. HMAC @stmcallister @ngrokHQ Complexity Pros Caveats Examples Low Auth and

    Message Integrity with Low Complexity Secret keys not in webhook notification No confidentiality controls Complex signature payloads GitHub Shopify Slack Square Twilio
  8. Response Webhook Provider Webhook Listener Webhook Message @stmcallister @ngrokHQ Create

    Webhook Message Generate signature hash of message body with PRIVATE KEY Validate Signature Hash Process Webhook Call Generate signature hash of message body with PUBLIC KEY Asymmetric Keys
  9. @stmcallister @ngrokHQ Complexity Pros Caveats Examples High Extends HMAC with

    Non-Repudiation Added deployment complexity (compared to HMAC) Added complexity issuing, renewing, rotating keys Performance concerns SendGrid PayPal Keygen Asymmetric Keys
  10. Mutual TLS Response Webhook Provider Webhook Listener Webhook Message @stmcallister

    @ngrokHQ Create Webhook Message Generate signature hash of message body with shared secret Validate Signature Hash Process Webhook Call Generate signature hash of message body with shared secret Initiate mTLS handshake
  11. @stmcallister @ngrokHQ Complexity Pros Caveats Examples Very High Message Confidentiality

    Non-Repudiation Highly Complex Added complexity issuing, renewing, rotating keys Adobe Sign DocuSign PagerDuty Mutual TLS
  12. @stmcallister @ngrokHQ Complexity Pros Caveats Examples High Notifications without data

    Reduces security requirements Reduce request traffic Consumer make multiple requests Consumer needs API keys Provider API Performance Microsoft OneNote Smartsheet Dataless Notifications
  13. @stmcallister @ngrokHQ Complexity Pros Caveats Examples Medium Mitigates replay with

    added signed timestamp Provider and Consumer need clocks relatively synced Time format alignment Calendly Slack PayPal Replay Prevention
  14. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok https @ngrokHQ @stmcallister
  15. © ngrok. All rights reserved. Confidential Information of ngrok Secure

    Your Payload None / Not Found Shared Secret HMAC RSA / ECDSA JWT / JWK / OAuth mTLS 0 15 30 45 60 16% 8% 65% 5% 3% 3% @ngrokHQ @stmcallister
  16. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok https @ngrokHQ @stmcallister
  17. What We Should Be Doing Response Webhook Provider Webhook Listener

    Webhook Message @stmcallister @ngrokHQ Create Webhook Message Add Shared Secret Validate Shared Secret Process Webhook Call