Stripe Webhook Secret
ID |
stripe_webhook |
Severity |
high |
Vendor |
Stripe |
Family |
API Token |
Description
Stripe is a payment services provider for e-commerce websites and mobile applications.
Stripe service can be integrated with webhooks to communicate with external applications. Events sent by Stripe via a webhook are signed to avoid a replay attack.
Security
The leakage of the secret is critical since, by default, the secret keys can be used to perform any API request without restriction.
In addition to signing webhook events, Stripe sends events only from a given list of IPs. Checking the origin of webhook messages can help to detect suspicious activities.
Examples
The following example shows a hardcoded Stripe secret in a python script:
WEBHOOK_ACCOUNT_SECRET_KEY=whsec_prOoJDWmQe5uwFuIcnHNlL1LVrmOv8Dx
Mitigation / Fix
-
Remove the
Secretfrom the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'. -
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to Stripe Webhooks Dashboard and revoke the webhook from there.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |