Security concerns with with webhooks #380
Comments
|
Thank you very much for putting this together! I have good news. We currently make changes to the webhooks and it will the by default use a uuid. It will so be then very hard to guess them. I hope we will also find soon some time to add proper CORS support in the future. About the data-validation. Most Trigger-Nodes should implement it already for the other ones we also try to add it in the future. Any help there is however very appreciated. |
|
We just released a beta version of n8n with static webhooks. For existing webhook-nodes it will keep on working like before. Meaning the webhook-URL is a combination of workflow-id and webhook-name. For newly created nodes it will by default create a UUID. The value can simply get changed. It is however important to mention that webhook-URLs are now unique so not two different workflows could define the path GET The beta image: Please inform us if everything new and existing works fine that we can release it asap. We did already test but the more people the better obviously.Thanks! |
|
Got fixed in the newly released [email protected] |
Describe the bug
This could be feature request as well, but I make it as bug report since this feels vulnerability. Currently webhooks works so that you have address like
http://<somewhere>/webhook/<workload id>/webhook/<node name>. But the problem is that webhook endpoint needs to be public. With this kind address structure it is pretty easy to make an attack with data and pollute potentially many other systems. Eg. attacker can loop through index numbers(even uuid would make a difference) and make dictionary based node names(ppl tend to use words) and it would not get too many tries to find some working combination(very limited set).Expected behavior
Webhooks should be harder to send data to without proper link. Eg. ActiveCampaign trigger does not have any additionaly security measures like validating requests with their credentials.
More secure addresses can be achieved by adding eg. some security get parameter along side with the address which only can be verified by n8n. If backwards compatibility is wanted, it could be option if it is required or not.
CORS header support would prevent sending data from wrong sites.
Examples what others suggests:
https://developer.bigcommerce.com/api-docs/getting-started/webhooks/about-webhooks#security suggest there should be header
https://developer.github.com/webhooks/securing/
github suggests to verify requests with signature header per received event(Btw. GithubTrigger does not seem to be checking this). This is the style I'm currently developing custom trigger with and hopefully there will be merge request for the node some day. Sadly this can be only made per service basis if they provide such powerful way.
https://developer.paypal.com/docs/integration/direct/webhooks/notification-messages/
Paypal uses signatures made with certifications. And it is used in PaypalTrigger-node
https://developers.activecampaign.com/page/webhooks
ActiveCampaign does not provide any additinal security measures so it would be important to have cryptographically better addresses.
Environment (please complete the following information):
Additional context
So three things would make these better
The text was updated successfully, but these errors were encountered: