Global AppSec Tel Aviv 2019

The concept of a Webhook is quite simple: an HTTP callback that occurs when something happens. However, Webhook's powerful nature of open ended integration with arbitrary web services, makes it very easy for API developers to pipe data in and out of its CISO defined boundaries,  and might even end up in a network compromise.  
We will share our research on the tool-chains used by API developers to develop and test Webhooks and show why those could be disastrous. We will provide examples of real life exposed applications and present our war stories on the vulnerabilities we have discovered and responsibly disclosed. We will talk how Webhooks tools are already being abused in the wild. Attendees will walk away with a better sense of understanding Webhook development threats and the feasible preventive controls. Finally we will be releasing a toolkit to assist in auditing the exposure of organizations using Webhooks.