Protecting Webhooks Against OWASP’s Top Ten API Risks Posted in Security Kristopher Sandoval November 15, 2023 A webhook is a lightweight event-driven solution that connects APIs to other APIs, applications, or services. This server-to-server method allows for the modification of resources and services based on a specific event, which triggers an action in a push-based approach. This allows for incredible flexibility and power between services, which has made webhooks a much-beloved approach for inter-API communication and processing. Unfortunately, it is this power and flexibility that makes webhooks particularly vulnerable to security issues. Below, we’re going to look at some of these webhook vulnerabilities within the context of the OWASP API Security Top 10 2023 list. We’ll first review each vulnerability category and then identify how these weaknesses arise in webhooks technologies and how to resolve them. API01: Broken Object Level Authorization (BOLA) Broken object-level authorization (BOLA), formerly known as insecure direct object reference (IDOR), is a significant risk in APIs. This vulnerability arises when an API exposes objects without proper authorization checks. An attacker can take advantage of this to access unauthorized data by manipulating input parameters, such as object IDs. Webhooks Threat Webhooks are susceptible to BOLA issues just like any other web technology. Improperly designed or configured authorization can expose data and functions, with additional tack-on effects allowing for the escalation of attack vectors and compounding threats. Sometimes, this threat can come from non-obvious vectors. For instance, simply authenticating the source of a webhook but not applying specific authorization for objects could lead to an exploit where a legitimate service that is used by a bad-faith actor could be used to escalate damaging attacks. To mitigate the risk of BOLA in webhooks, proper authorization checks should be implemented alongside authentication. Object-level security must be employed to ensure that webhooks are validated upon specific objects. When combined with rate limiting, monitoring, and logging, many BOLA attempts could be mitigated before they become significant. API02: Broken Authentication This vulnerability pertains to flaws in authentication mechanisms, which could be abused or bypassed, allowing for a range of attacks. These attacks can be direct (as in data exfiltration) or indirect (as in denial of service attacks through bypassing authentication-based rate limiting). Webhooks Threat Authentication failure is a disaster scenario for most services, and this is no less true with webhooks. Broken authentication could lead to data exposure, unintended function triggers, and even server actions such as deletion or modification. This kind of attack could be combined with other vectors to result in denial-of-service attacks, logic damage, and more. Robust authentication mechanisms are the only solution to this kind of issue. Proper authentication also means proper exposure and trust systems as well as buttressed systems supporting rate limiting, logging, and identity and access management. At the end of the day, the best defense is a good offense, so authentication should be planned proactively against the worst-case scenario. API03: Broken Object Property Level Authorization (BOPLA) BOPLA highlights the risk of users accessing specific fields of an API object they aren’t authorized to view. This vulnerability combines issues like excess data exposure and mass assignment. This inadequate validation of user authorization at the property level potentially leads to unwanted data exposure or manipulation. Webhooks Threat This issue can arise with improper configuration at the property level. For example, a webhook might be triggered to update or return specific fields of an object in a database. If the webhook endpoint doesn’t correctly validate that the calling service is authorized to read or write those specific fields, it could result in unauthorized data exposure or manipulation. To mitigate this problem, developers should implement stringent authorization checks for each field that a webhook can access. This means not only verifying that the calling service is authorized to access the object but also that each specific property of that object is within that access scope. Audit logs should also be maintained to record which services accessed what data to ensure long-term tracking and validity of extant data. Also read: APIs vs. Webhooks: How Are They Different? API04: Unrestricted Resource Consumption APIs that don’t properly limit or monitor their resource consumption are vulnerable to this type of attack. Overconsumption of resources can lead to denial of service and, in long-term attacks, can heighten operational costs to a damaging level. Webhooks Threat Unrestricted resource consumption is an insidious threat in that it can be both an immediate threat in terms of denial of service or a long-term threat with escalating costs. When webhooks are designed to trigger automatically based on specific events without adequate rate-limiting or monitoring in place, these attacks can be exploited in a very significant way, causing extreme damage. To protect against this issue, it’s crucial to implement robust rate-limiting on webhook endpoints. This rate-limiting should be dynamic and adapt to the system’s current state, becoming stricter if the system is under heavy load or potential attack. Monitoring solutions should be in place to detect unusual spikes in activity or resource consumption, alerting administrators to potentially malicious behavior. Employ timeouts for webhook-triggered operations to prevent any single operation from consuming too many resources. API05: Broken Function Level Authorization (BFLA) BFLA occurs when users are able to execute functions they’re not authorized for, like a regular user performing an admin-level task. These weaknesses in access control policies lead to unauthorized access to functions as well as the underlying protected data. Webhooks Threat Webhooks can be vulnerable to these kinds of attacks without an adequate functional authorization system. Suppose a webhook is designed to simply accept a function assuming a trusted resource. In that case, the function itself has no real security and can be used for various attack scenarios that could very well be extremely damaging. This is especially true when considering webhooks designed to function in a trusted environment, such as in a collection of lightweight microservices (for instance, an Internet-of-Things architecture). To mitigate this risk, always ensure that functions have adequate authorization methodologies. Whether this is role-based or attribute-based, some sort of effective and audited system must implement control policies to effectively mitigate this threat. Monitoring and logging continue to be necessary to detect long-term issues, but proactive management is your best friend here. API06: Unrestricted Access to Sensitive Business Flows This kind of issue arises when business flows, for instance, purchasing an item, are exposed without consideration for what this means for the holistic API. The problem with this kind of flaw is that it’s not necessarily a configuration error — after all, purchasing an item may indeed be the entire point of the API. We saw this kind of flaw rampant during the launch of video game consoles in the last few years, where attackers utilized an endpoint and a botnet of devices to automatically buy up the entire stock of an item for later resale. Webhooks Threat Webhooks are particularly sensitive to business flow exposure due to the nature of the technology. Webhooks are meant to surface information from business flows through an event-driven architecture. The best defense to this kind of attack, then, is to ensure that the business flows that are surfaced are intended to be surfaced. Auditing the series of flows and ensuring that the events triggering each webhook are correct is of vital importance. Reducing the overall events can be helpful, but a heuristics approach will be much more effective. Track abuse and overuse of each webhook endpoint to identify flows that are at high risk for abuse and then further protect those particular endpoints. API07: Server Side Request Forgery (SSRF) SSRF is when an attacker induces the server to make a request on their behalf, potentially accessing internal resources or exposing sensitive information. This potentially allows unrestricted access to critical functions. Webhooks Threat Server-side request forgery (SSRF) poses a unique risk to webhooks, especially those designed to interact with external services based on received payloads or commands. For instance, a webhook may be set up to fetch additional data from an internal API or database when triggered. If an attacker is able to manipulate the webhook’s input parameters, they could trick the server into making unauthorized requests to internal or even external resources as a server-originated request, leading to data exposure or unauthorized actions. This kind of vulnerability effectively turns the webhook into a gateway for attackers to probe, interact with, or exploit other parts of the system or network. To mitigate these vulnerabilities, ensure strict input validation and sanitization. Limit the types of requests that can be made through the webhook to minimize the potential for abuse. Network segmentation and firewalls can also restrict which resources the server hosting the webhook can access, offering another layer of protection. API08: Security Misconfiguration This is a broad category that includes mistakenly exposing sensitive information or functionalities due to misconfigurations in the server or application. At its most basic, this category can broadly be defined as flaws that let attackers force the API to make unwanted requests to external resources. Webhooks Threat Security misconfiguration is a risk that can significantly affect any service. A common mistake is deploying a webhook with default settings for the chosen solution, which might include over-permissive access controls or exposed sensitive information. Misconfigurations can lead to various vulnerabilities, including unauthorized access and data leakage. To prevent this threat, it’s critical to follow a secure deployment process with webhooks specifically in mind. Ensure that only necessary webhooks exist on the stack to avoid creep in the attack surface. Utilize technologies such as heuristics to identify errant configuration abuse in production and use automated scanners and frameworks to detect misconfiguration issues in development. Regularly review and update configurations, including access control lists and rate-limiting settings. API09: Improper Inventory Management This vulnerability is about not maintaining a clear inventory of API versions, environments, and deprecated fields. Attackers can exploit this oversight to find and exploit old or unprotected API endpoints. Webhooks Threat Given their event-driven nature, it’s not uncommon for mature organizations to have multiple versions of webhooks interacting with various internal and external services. Without a well-maintained inventory, older webhook versions with known vulnerabilities might not get decommissioned or updated, providing an attack surface for malicious actors. To resolve this threat, organizations should maintain a comprehensive and up-to-date inventory of all active webhook endpoints, along with the versions, environments they operate in, and the fields they use. This inventory should be regularly audited to identify and decommission outdated or unnecessary webhooks. For versioning, consider applying semantic versioning to make it easier to track changes and understand the impact of those changes. Automated tools can be employed to discover and catalog webhooks as part of the development pipeline, ensuring that the inventory stays current as changes are deployed while reducing the overhead in this process. Also check out: 6 Strategies for Documenting Webhooks API10: Unsafe Consumption of APIs It’s essential to validate and sanitize data from third-party APIs. Treating data from external systems as trusted can introduce vulnerabilities to the system, especially when consuming these APIs without due diligence. Webhooks Threat Webhooks, like all APIs, are inherently at risk when interacting with external APIs. Any external API is outside the control of the core developer, meaning that any dependence on them, no matter how small or large, potentially opens up risks of unsafe consumption. External APIs can be taken over by malicious actors, but even “safe” APIs that are still under developer control can have hidden vulnerabilities and issues that spread locally when referenced by an API. Your best solution to this kind of problem is to adopt a zero-trust model. Implement rigorous validation and sanitization procedures for any data received through webhooks, and always treat incoming data as untrusted, regardless of the source. Apply thorough input validation checks, including type-checks, length verification, heuristic analysis, format validation, and sanitation. Utilize automated security tools that can scan incoming payloads for known vulnerabilities or malicious patterns. Treat all incoming data as if it could cause incredible damage, because the reality is that it can. Conclusion Hopefully, this gives you a solid base from which webhook vulnerabilities can begin to be addressed. No security posture is ever going to be perfect, but covering the most common vulnerabilities will deliver a more robust service. Are there any other approaches for planning against the OWASP Top Ten Risks you’d like us to cover? What other technologies would you love us to look at? Let us know in the comments below!