Improve Safety of Webhooks
It concerns us a lot that in theory everyone can send messages to our webhooks.
Problem:
Given a webhook, currently, anyone with the webhook url can post to it.
The procedure is easy, just execute:
```
curl -H "Content-Type: application/json" -X POST -d '{"username": "test", "content": "hello"}' <webhook_url>
```
and it will post to the given webhook.
Possible ideas to fix it:
1. When generating a webhook, also provide us an authentification token.
1.1 Let us write scripts for webhooks, like you can do in rocket.chat, that way we can individually specify which webhooks from which IPs / servers we accept.
or
1.2 Only accept posts to a webhook, when the authentification token is also passed, either in the header, or in content.
This problem applies not only to webhook urls.
One can also download any files you post on discord, if the url is known.
Which is even more concerning.
-- Bree
Please sign in to leave a comment.
Comments
0 comments