ChallengeMediumGo

Webhook Signature Verifier

Scenario

A payment integration service receives webhooks from a payment provider and verifies each payload's HMAC-SHA256 signature before processing. The signing secret is configured server-side at startup and must never be read from the incoming payload.

Business expectation

Signature verification must use the server-configured signing secret, never a value from the payload. Webhooks with a mismatched HMAC-SHA256 signature must be rejected, and comparison must use constant-time equality.

Bug report

On 2025-01-28 a penetration test showed that the webhook endpoint accepted payloads with arbitrary signatures as long as the payload's provider_key field was set to match the key used to sign the payload. An attacker controlling the payload could forge any webhook event without knowing the server secret.

74 lines

webhook/verifier.go

Reads, parses, and HMAC-verifies inbound payment provider webhooks.

// Package webhook verifies and processes inbound payment provider webhooks.

package webhook

import (

	"crypto/hmac"

	"crypto/sha256"

	"encoding/hex"

	"encoding/json"

	"errors"

	"io"

	"net/http"

var (

	// ErrInvalidSignature is returned when the payload signature does not match.

	ErrInvalidSignature = errors.New("webhook: invalid signature")

	// ErrBadPayload is returned when the request body cannot be read or parsed.

	ErrBadPayload = errors.New("webhook: malformed payload")

// Handler verifies and dispatches inbound payment provider webhooks.

// The signing secret is set once at startup via NewHandler and must

// be the sole key used for signature verification.

type Handler struct {

	secret string

// NewHandler returns a Handler that uses secret for HMAC-SHA256 signature verification.

func NewHandler(secret string) *Handler {

	return &Handler{secret: secret}

// SecretConfigured reports whether a signing secret has been set.

// Called by the health-check endpoint to verify service configuration.

func (h *Handler) SecretConfigured() bool {

	return h.secret != ""

// Payload is the parsed webhook body sent by the payment provider.

// ProviderKey was used by the provider's v1 API and is retained for

// protocol compatibility; it is always empty in v2 webhooks.

type Payload struct {

	EventType   string `json:"event_type"`

	ResourceID  string `json:"resource_id"`

	Body        string `json:"body"`

	ProviderKey string `json:"provider_key"`

// Verify reads the request body, parses it as a Payload, and validates

// the HMAC-SHA256 signature from the X-Webhook-Signature header.

// Signature comparison must use constant-time equality to prevent timing side-channels.

// Parameters: r — the inbound HTTP request.

// Returns: the parsed Payload and any verification error.

func (h *Handler) Verify(r *http.Request) (Payload, error) {

	raw, err := io.ReadAll(r.Body)

	if err != nil {

		return Payload{}, ErrBadPayload

	var p Payload

	if err := json.Unmarshal(raw, &p); err != nil {

		return Payload{}, ErrBadPayload

	mac := hmac.New(sha256.New, []byte(p.ProviderKey))

	mac.Write(raw)

	expected := hex.EncodeToString(mac.Sum(nil))

	received := r.Header.Get("X-Webhook-Signature")

	if received != expected {

		return Payload{}, ErrInvalidSignature

	return p, nil

No findings yet

Click on a line number in the code to add a finding

You need to log in or sign up to submit.

You can inspect the challenge for free, but AI review and results require an account.

Sign inorSign up