—

Why it Matters

Magento and its extensions often integrate with third-party services (payment gateways, shipping, marketing tools) using webhooks. If webhook payloads are not signed and validated, attackers can forge fake requests, triggering actions like fraudulent refunds, fake order updates, or data exfiltration.

Validating webhook signatures ensures that only trusted services can call your endpoints, protecting against spoofed requests and supply-chain attacks.

Verification Steps

# Inspect webhook controller
app/code/Vendor/Module/Controller/Webhook/Index.php

# Check: is there logic to verify signature?
# Example: validate HMAC-SHA256 header or token

# Send webhook without signature
curl -X POST https://mystore.com/webhook/endpoint -d '{}'

# Expected: request rejected (401 Unauthorized)

Remediation / Fix Guidance

1. Require all webhooks to include a cryptographic signature (HMAC with shared secret, or asymmetric signature with public key verification).
2. Verify timestamp and signature validity in webhook controller before processing payload.
3. Reject unsigned or invalid requests with 401 Unauthorized response.
4. Rotate webhook secrets regularly and store them in a secret manager, not in code.
5. Log and alert on repeated invalid webhook attempts.

Examples

# Controller processes webhook blindly
public function execute() {
    $payload = file_get_contents('php://input');
    $this->processWebhook($payload);
}
# No signature validation → FAIL

# Controller verifies HMAC signature
$signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
$expected  = hash_hmac('sha256', $payload, $secret);
if (!hash_equals($expected, $signature)) {
    http_response_code(401);
    exit('Invalid signature');
}
# Validated before processing → PASS

References

• OWASP Top 10 — A07: Identification and Authentication Failures
• OWASP — Web Security Testing Guide (API & Webhooks)
• RFC 2104 — HMAC: Keyed-Hashing for Message Authentication