-
What do you want to achieve?
I want to be able to understand the security risk and flaws that a webhook could have when I want to create a bug/player report that will be send to an external application i.e. Discord. -
What is the issue?
This is my first time working with webhooks and I do not know what kind of abuse or exploit that can be used against this bug report system. More specifically, I will be using a remote event type script that will communicate by the player to my external application. Are there any kind of issues I should be aware of when making such a script? -
What solutions have you tried so far?
I have known that if the link to your webhook is exposed for public use, players are able to take it and abuse that link, and I have seen videos of players who can view scripts of games that can lead to security flaws (though I’m not sure if this still persists after Byfron have been implemented.
Most of the time, you will not have to worry about people spamming your webhook. However, I suggest using a proxy server to transmit your webhook queries to Discord if security is a top priority for you. Only this proxy server will be aware of your Discord webhook URL. The webhook URL can be saved on your proxy server as an environment variable. You can incorporate security checks into the proxy server’s handling of your webhook requests as well. Examples of such security controls are:
- Making a list of IP addresses that are allowed to communicate with the proxy server, or a “Allow” list
- Integrating token authentication to ensure that all client requests are verified
- Preventing harmful content by filtering each webhook request’s content
One service that provides said features is Hookdeck, although I believe query approval must be done manually. I would also recommend adding a cooldown to your system, ensuring that no one player can spam the webhook.
Let me know if this helps!
1 Like