Presentation Material
Abstract
Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.
In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.
The talk starts with a detailing of webhooks and typical webhook functionality that are provided by popular CI, CRM, Project Management, Payment Gateways and other applications. Subsequently, I’ll be showcasing demos of multiple techniques that can be used in this attack approach, with special emphasis on evasive payloads as well.
Next, I will showcase the success of this attack against several popular bug-bounty targets to highlight the impact of these attacks at scale.
Finally, I will present multiple approaches to defending against these vulnerabilities and developer best practices that should be applied when defining webhook functionality.
AI Generated Summary
The talk presents a security vulnerability in webhook implementations termed “webhook boomerang” attacks. The core issue arises when a malicious webhook consumer can force the provider’s server to make an internal Server-Side Request Forgery (SSRF) request back to the provider’s own infrastructure, potentially exposing sensitive data like cloud credentials.
The attack exploits the common behavior of webhook providers sending POST requests to consumer URLs. By configuring a webhook endpoint to return an HTTP 303 redirect to an internal resource (e.g., a cloud metadata service at 169.254.169.254), the attacker can manipulate the provider’s HTTP client. Many standard HTTP libraries automatically follow 303 redirects by converting the original POST into a GET request to the new location. If the provider stores the webhook response, the data from the internal request—such as AWS IAM role credentials—is captured and visible to the attacker.
A live demonstration compromised a test application’s internal CouchDB database using this technique. A real-world case involved Docker Hub, where the attack exfiltrated AWS credentials from the infrastructure running the service, though the vendor patched the issue quickly. The attack also extends to other cloud providers (Azure, GCP) if the webhook provider allows custom headers, as their metadata services require specific headers that can be injected.
Key defensive measures are highlighted: webhook providers must configure their HTTP clients to never follow redirects (follow_redirects=false). Relying on IP blocklists is insufficient, as attackers can use domain names resolving to loopback addresses. Instead, strict URL validation and network-level egress filtering are recommended to prevent SSRF. The vulnerability underscores the need to treat webhook consumer-supplied data as untrusted, especially regarding redirects and header manipulation.