06-19-2020 02:09 PM
It appears to me that there is no real security in Incoming Webhooks. I'd like to use it to send some alert messages from Azure/OpenShift etc. but it seems like the 'security' it uses is just a long hard to guess URL. There's no authentication per say. Is there any info I could use to get this past me security teams? Any math even on how hard it is to guess that URL path ?! :)
06-20-2020 10:30 AM
Hi
It depends on the url - with https its as safe as browsing any https site
06-22-2020 02:22 AM
I don't agree with that statement. You are not browsing but enacting some potential action based on posting to that incoming WebHook. I have seen other WebHooks that require something in the payload for auth. Perhaps I should use the API to post messages.
06-22-2020 07:17 AM
I think your understanding is pretty accurate. Certainly using the full REST API is preferable from a security standpoint, where the secret is not present in the URL/params. Use of incoming webhooks is going to trade some safety for convenience when you just need a quick and dirty chat-ops notification...
06-22-2020 01:54 PM
I guess so. Not sure my sec guys will go for this. I guess it's about showing that worst case is a DDOS or a flood of messages to a space.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: