The date for the release of slides and videos has not been determined.  
Please, visit the event site for further information.
Back To Schedule
Wednesday, May 29 • 2:05pm - 2:35pm
Webhooks Hookups: Abusing API Developers

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The concept of a Webhook is quite simple: an HTTP callback that occurs when something happens. However, Webhook's powerful nature of open ended integration with arbitrary web services, makes it very easy for API developers to pipe data in and out of its CISO defined boundaries,  and might even end up in a network compromise.  
We will share our research on the tool-chains used by API developers to develop and test Webhooks and show why those could be disastrous. We will provide examples of real life exposed applications and present our war stories on the vulnerabilities we have discovered and responsibly disclosed. We will talk how Webhooks tools are already being abused in the wild. Attendees will walk away with a better sense of understanding Webhook development threats and the feasible preventive controls. Finally we will be releasing a toolkit to assist in auditing the exposure of organizations using Webhooks.

avatar for Tomer Zait

Tomer Zait

Principal Security Researcher, F5
Tomer Zait (Principal Security Researcher at F5Networks) worked in a range of professions in the security industry (Web Application Firewall Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time, he developed open-source projects... Read More →
avatar for Maxim Zavodchik

Maxim Zavodchik

Security Research Manager, F5 Networks
The speaker has more than 10 years of offensive security and web vulnerabilities research experience. In his current role as Head of Security Research, Maxim is building and growing the threat research at F5 Networks.

Wednesday May 29, 2019 2:05pm - 2:35pm IDT
Hall C