MB-R092
Payment callbacks and webhooks must validate signatures, timestamps, replay windows, and provider-specific authentication requirements before processing order or payment state changes. Weak webhook validation can enable forged payment success, refund abuse, or order manipulation. Enforce provider HMAC verification, secret rotation, idempotency, and logging of rejected events. security-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Magebean Audit run: /path-to-file/magebean.phar scan --path=. Exploitation can lead to full system compromise, data breach, or payment fraud. Must be remediated immediately. Exploitation can cause significant security or operational risk, such as privilege escalation or data leakage. Should be prioritized for remediation. Exploitation has limited impact or requires additional conditions. Important to fix but may be scheduled. Minor security hygiene issues or best practices. Fix as part of normal maintenance.
Payment webhook endpoints often update order state, captures, refunds, or fraud decisions. If they accept unsigned or weakly authenticated requests, attackers may spoof gateway events or replay old messages.
Strong webhook authentication proves the request came from the provider and was not modified in transit.
grep -RIE "webhook|callback|signature|hmac" app/code 2>/dev/null
# Confirm signature and timestamp validation happen before processing
curl -X POST https://mystore.com/payment/webhook -d "{}"
# Expected: 401/403 or provider-specific rejection
public function execute() {
$this->updateOrder($this->request->getContent());
}
# Processes callback without authentication → FAIL
if (!$this->signatureValidator->isValid($payload, $headers)) {
return $this->reject();
}
# Signature checked first → PASS