← Back to Baseline

MB-R092

Payment webhook endpoint authentication hardening

C12 Third‑party Config Security High

Payment callbacks and webhooks must validate signatures, timestamps, replay windows, and provider-specific authentication requirements before processing order or payment state changes. Weak webhook validation can enable forged payment success, refund abuse, or order manipulation. Enforce provider HMAC verification, secret rotation, idempotency, and logging of rejected events. security-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Magebean Audit run: /path-to-file/magebean.phar scan --path=. Exploitation can lead to full system compromise, data breach, or payment fraud. Must be remediated immediately. Exploitation can cause significant security or operational risk, such as privilege escalation or data leakage. Should be prioritized for remediation. Exploitation has limited impact or requires additional conditions. Important to fix but may be scheduled. Minor security hygiene issues or best practices. Fix as part of normal maintenance.

Why it Matters

Payment webhook endpoints often update order state, captures, refunds, or fraud decisions. If they accept unsigned or weakly authenticated requests, attackers may spoof gateway events or replay old messages.

Strong webhook authentication proves the request came from the provider and was not modified in transit.

Verification Steps

Controller inspection

grep -RIE "webhook|callback|signature|hmac" app/code 2>/dev/null
# Confirm signature and timestamp validation happen before processing

Unauthenticated request test

curl -X POST https://mystore.com/payment/webhook -d "{}"
# Expected: 401/403 or provider-specific rejection

Remediation / Fix Guidance

  1. Require provider signatures, HMAC validation, or asymmetric verification for payment webhooks.
  2. Validate timestamp or event age to reduce replay risk.
  3. Reject unsigned, invalid, stale, or duplicate webhook events.
  4. Store webhook secrets outside code and rotate them periodically.
  5. Log invalid webhook attempts with sensitive data redacted.

Examples

Fail Example
public function execute() {
    $this->updateOrder($this->request->getContent());
}
# Processes callback without authentication → FAIL
Pass Example
if (!$this->signatureValidator->isValid($payload, $headers)) {
    return $this->reject();
}
# Signature checked first → PASS

References