gallopinggoose-webhook-signatureverification | Stripe Developers | Page 1

hasty emberBOT Feb 8, 2024, 7:38 PM

#

sick solstice Feb 8, 2024, 7:41 PM

#

Yes, if a fraudulent user manipulated the event webhook in any way the signature genreated from that manipulated event wouldn't match what we expect so you'd get an invalid signature error

hasty emberBOT Feb 8, 2024, 7:43 PM

#

gallopinggoose-webhook-signatureverification

lilac hare Feb 8, 2024, 7:44 PM

#

Does that include man in the middle type attacks? If they intercept the stripe webhook payload -> change the event body but leave the generated signature -> wouldn't that produce an altered Event using the unaltered signature with constructEvent?

#

Sorry Im not really familiar with cybersecurity stuff and want to secure our application as best as I can

hasty emberBOT Feb 8, 2024, 7:45 PM

#

sick solstice Feb 8, 2024, 7:49 PM

#

I'm also not an expert in security but I believe with man in the middle you just want to be sure you're using https/ssl

lilac hare Feb 8, 2024, 7:52 PM

#

Got it. I think the end line is I'm thinking, if using the official libraries to verify webhooks with constructEvent, is it necessary to double check the constructed event (retrieve the event from stripe using the constructed id) to check if the constructed event matches the retrieved event? If constructEvent checks if the webhook is valid and the event exists then I imagine not

heady zinc Feb 8, 2024, 7:53 PM

#

Live mode webhook endpoints must use HTTPS, insecure url will be rejected when you try to configure them

#

Becuase only you and Stripe have the signing secret, signature validation implies valid object contents

#

It doesn't explicitly confirm the contained object exists, though. You could send your own test events with false body data that is correctly signed, for example, and nothing in the constructEvent method will know that.

lilac hare Feb 8, 2024, 7:58 PM

#

And I could only recreate this test on an insecure server (no HTTPS) because there wouldn't be a way to generate such a payload from Stripe?

heady zinc Feb 8, 2024, 7:59 PM

#

No, you can do in on an HTTPS endpoint too

#

You can send any request you like to https://yourserver.com/webhooks

#

and you have the signing secret, so you could sign it yourself

lilac hare Feb 8, 2024, 7:59 PM

#

Oh nvm, I could edit the payload after recieving it

#

Yeah exactly, okay thanks

#

Thanks @heady zinc @sick solstice, I appreciate you taking the time to explain it to me

heady zinc Feb 8, 2024, 8:00 PM

#

NP!

lilac hare Feb 8, 2024, 8:01 PM

#

Sorry, would this sort of test include generating my own Stripe-Signature header?

heady zinc Feb 8, 2024, 8:02 PM

#

If you set it, yea 😄

lilac hare Feb 8, 2024, 8:04 PM

#

Is the v1/v0 signature always the same for all webhooks of an endpoint based on the endpoint's secret key? with the only thing changing the embedded timestamp?

heady zinc Feb 8, 2024, 8:05 PM

#

No, the entire signature changes, the hash of the body data string is an input

#

We describe the calculation so you can do it manually here: https://stripe.com/docs/webhooks#verify-manually

lilac hare Feb 8, 2024, 8:05 PM

#

Thanks that makes a lot of sense

lilac hare Feb 8, 2024, 8:22 PM

#

So the point of weakness is really the secret key because with that, anyone could sign anything correctly

heady zinc Feb 8, 2024, 8:23 PM

#

the signing secret, not secret key, but yes

lilac hare Feb 8, 2024, 8:24 PM

#

Yes sorry the signing secret

#gallopinggoose-webhook-signatureverification