cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
5
Helpful
4
Replies

Incoming WebHooks Security

shockocisco
Beginner
Beginner

It appears to me that there is no real security in Incoming Webhooks. I'd like to use it to send some alert messages from Azure/OpenShift etc. but it seems like the 'security' it uses is just a long hard to guess URL. There's no authentication per say. Is there any info I could use to get this past me security teams? Any math even on how hard it is to guess that URL path ?! :)

4 Replies 4

omz
Collaborator
Collaborator

Hi

It depends on the url - with https its as safe as browsing any https site

 

I don't agree with that statement. You are not browsing but enacting some potential action based on posting to that incoming WebHook. I have seen other WebHooks that require something in the payload for auth. Perhaps I should use the API to post messages. 

I think your understanding is pretty accurate.  Certainly using the full REST API is preferable from a security standpoint, where the secret is not present in the URL/params.  Use of incoming webhooks is going to trade some safety for convenience when you just need a quick and dirty chat-ops notification...

I guess so. Not sure my sec guys will go for this. I guess it's about showing that worst case is a DDOS or a flood of messages to a space. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers