Insecure Webhook
ID |
webhooks |
Severity |
high |
Family |
SCM |
Tags |
cicd-security, infrastructure, non-reachable, security |
Description
Do repository webhooks protect the integrity and confidentiality of the events transmitted, and authenticate the origin of requests?
Webhooks allow you to build or set up integrations that subscribe to certain events in the project repository. When one of those events is triggered, the webhook’s configured URL will receive an HTTP request with information about the event.
This check determines whether the webhook is secure or not, by taking into account:
-
If a secret token has been configured to authenticate the origins of requests.
-
If the webhook is invoked by using a secure HTTP protocol.
-
If the TLS certificate is validated.
Security
If not authenticated, the HTTP payload that your integration will receive could be a faked one generated by a bad actor.
A common way to perform such authentication is to share a secret token that could be registered with the webhook. When the SCM invokes the webhook URL, it sends a header with an message authentication code (MAC) computed over the HTTP payload with the secret token. Your integration should compute the same MAC and compare with the received header. This is documented here for GitHub.
The behaviour of this detector varies depending on the SCM/ CI/CD system which declares the webhook (- means not supported, x means supported):
-
For GitHub, it looks for Webhooks configured in the project repository. Any webhook without a secret token will make the check FAIL. The same applies for webhooks that do not use a secure HTTP protocol.
-
For CircleCI, the secret token, the
-
For Bitbucket and Azure, just the secure HTTP protocol is checked.
-
For GitLab the verification of the TLS certificate is checked too.
System |
Secret token |
Secure HTTP protocol |
TLS certificate verification |
GitHub |
x |
x |
x |
Bitbucket |
- |
x |
- |
Azure |
- |
x |
- |
GitLab |
- |
x |
- |
CircleCI |
x |
x |
x |
Mitigation / Fix
-
Check whether your service supports token authentication.
-
If there is support for token authentication, set the secret in the webhook configuration. For GitHub, see webhook secret.
-
If there is no support for token authentication, consider implementing it by following these directions.