Watch the stream
Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.
In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.
The talk starts with a detailing of webhooks and typical webhook functionality that are provided by popular CI, CRM, Project Management, Payment Gateways and other applications. Subsequently, I'll be showcasing demos of multiple techniques that can be used in this attack approach, with special emphasis on evasive payloads as well.
Next, I will showcase the success of this attack against several popular bug-bounty targets to highlight the impact of these attacks at scale.
Finally, I will present multiple approaches to defending against these vulnerabilities and developer best practices that should be applied when defining webhook functionality.