Webhook URL is not allowed

ID

unapproved_webhook

Severity

low

Family

CI/ CD Security

Tags

asvs50-v12.1.1, asvs50-v16.2.1, cicd-security, infrastructure, reachable, security, spvs10-v1.4.5, spvs10-v5.4.1

Description

A malicious actor may attempt to access the code permanently by implementing a webhook.

This detector performs an inventory of the webhooks invoked from SCM and CI/ CD systems and check them against a white list provided by the customer.

Security

After successfully compromising a user’s account, a malicious actor may attempt to access the code permanently by implementing a webhook

Mitigation / Fix

Review the webhooks invoked from your organization projects and remove those that are not allowed in your internal security policy.

Configuration

The detector has a property allowedWebhooks where the user have to configure the allowed webhooks for her/ his organization.

By default, this detector is disabled because since the list is empty it would cause to report a flaw for each webhook found.