Episode 11 · Module 3 · App Security

Webhook Security and SSRF

18 May 2026 · 9:21 · Security for Legal SaaS

0:00 9:21

Webhooks are how modern SaaS integrations communicate — and every endpoint is a door you’ve deliberately opened. Alice and Dan cover SSRF attacks, the Capital One breach, HMAC signature verification, DNS rebinding, and why legal integrations with courts and payment processors demand layered defences.

Today’s Lesson

Security for Legal SaaS — Episode 11: Webhook Security and SSRF

When Your Server Becomes the Attacker’s Proxy

Webhooks are how modern SaaS integrations communicate — your e-filing system notifies your case management platform that a submission was accepted, your payment processor confirms a retainer deposit, your e-discovery vendor signals that a production set is ready. Each webhook endpoint is a door you’ve opened in your perimeter. Server-Side Request Forgery (SSRF) exploits that door by tricking your server into making requests to internal resources the attacker cannot reach directly.

Key stat: SSRF entered the OWASP Top 10 in 2021 as a standalone category after years of increasingly severe real-world exploits — including the Capital One breach where SSRF against AWS metadata endpoints exposed 106 million records.

In legal SaaS, the attack surface is particularly dangerous because integrations with courts, regulators, and counterparties are not optional — they are the product. You cannot simply block all outbound requests.

SSRF: Your Server as the Attacker’s Puppet

SSRF occurs when an attacker can influence a URL that your server-side code fetches. The server dutifully makes the request using its own network position — behind your firewall, on your VPC, with access to internal metadata endpoints and private services.

The Attack Pattern

Step	What Happens
1	Attacker sends a webhook registration or callback URL pointing to an internal resource
2	Your server fetches the URL (e.g., validating a webhook, downloading a referenced document)
3	Internal service responds to your server as if it were a legitimate internal request
4	Attacker receives the response or observes side effects

The Capital One breach (2019) demonstrated this precisely — an SSRF vulnerability allowed an attacker to query the AWS Instance Metadata Service (IMDS) at 169.254.169.254, retrieve IAM role credentials, and exfiltrate 106 million customer records from S3.

AWS responded by introducing IMDSv2, which requires a PUT request with a hop-limited token — but your application code must still validate URLs before fetching them.

DNS Rebinding: Bypassing Allowlists

Even if you validate that a URL resolves to a public IP before fetching it, DNS rebinding attacks can defeat this check. The attacker controls a DNS server that returns a public IP on the first lookup (passing your validation) and an internal IP on the second lookup (when your server actually connects).

Mitigation: Resolve the DNS once, pin the IP, validate it is not in RFC 1918/link-local/loopback ranges, and connect to that specific IP with the original hostname in the Host header. Libraries like ssrf-req-filter implement this pattern.

Webhook Signature Verification

Every inbound webhook must prove it came from the expected sender. Without verification, any attacker who discovers your endpoint URL can forge webhook payloads — creating fake payment confirmations, fraudulent filing receipts, or spoofed e-discovery notifications.

The HMAC Pattern

The industry standard is HMAC-SHA256 signature verification, as implemented by GitHub, Stripe, and most modern platforms:

Component	Purpose
Shared secret	Pre-exchanged key between sender and receiver
Signature header	HMAC-SHA256(secret, raw_body) sent with each request
Timestamp header	When the webhook was generated
Replay window	Reject webhooks older than 5 minutes

Critical implementation detail: Compute the HMAC over the raw request body bytes, not a parsed-and-reserialized version. JSON key reordering, whitespace changes, or encoding differences will produce a different hash. Stripe's documentation explicitly warns about this.

Timestamp Validation and Replay Prevention

Stripe’s webhook security model includes a timestamp in the signed payload. Your verification must:

1. Extract the timestamp from the signature header

2. Reject if the timestamp is more than 5 minutes old (configurable tolerance)

3. Include the timestamp in the HMAC computation so it cannot be modified independently

Without timestamp checks, an attacker who intercepts a valid webhook can replay it indefinitely — triggering duplicate payment confirmations or reprocessing already-handled filings.

Allowlisting Outbound Destinations

When your server makes outbound requests (fetching documents, calling external APIs, delivering webhooks), restrict where it can connect.

Defence in Depth for Outbound Requests

Layer	Control
Application	URL validation — reject private IPs, localhost, metadata endpoints
DNS	Pin resolved IPs; reject RFC 1918, 169.254.0.0/16, ::1
Network	Egress firewall rules — allowlist specific CIDR ranges per integration
Cloud	VPC egress policies or AWS Security Groups restricting outbound

For legal integrations specifically, your allowlist is often well-defined: court e-filing endpoints have published IP ranges, payment processors provide webhook IP lists (Stripe publishes theirs), and e-discovery platforms document their callback infrastructure.

Legal Integration Attack Scenarios

E-Filing Systems

Court e-filing integrations (like Tyler Technologies Odyssey) require your system to accept callbacks confirming submission status. An attacker who compromises or impersonates this callback can mark fraudulent filings as “accepted” in your system.

Mitigations: Verify webhook signatures, cross-reference filing IDs against your submission log, implement out-of-band confirmation for critical filings.

Payment Processors

Retainer deposit confirmations arrive via webhooks. Stripe’s documentation on webhook security exists because the consequences of forged payment notifications are direct financial loss.

E-Discovery Platforms

When a production set is ready for download, the e-discovery platform sends a notification with a URL. If that URL is attacker-controlled, your server fetches malicious content or leaks credentials in the request headers.

Practical Hardening Checklist

Implementation checklist: 1. ☐ Validate all webhook signatures using HMAC-SHA256 with constant-time comparison 2. ☐ Reject webhooks with timestamps older than 5 minutes 3. ☐ Maintain idempotency keys to prevent replay attacks 4. ☐ Validate and pin DNS for all outbound fetches — reject private/link-local ranges 5. ☐ Implement egress firewall rules at the network layer 6. ☐ Enable IMDSv2 on all cloud instances 7. ☐ Log all inbound webhooks with source IP, signature validity, and processing outcome 8. ☐ Use OWASP's SSRF Prevention Cheat Sheet as your implementation reference

Testing Your Defences

PortSwigger’s SSRF lab series provides hands-on practice exploiting and defending against SSRF. For webhook testing, tools like Svix’s webhook testing utilities let you simulate signature failures, timestamp manipulation, and replay attacks in a controlled environment.

The OWASP SSRF Prevention Cheat Sheet provides language-specific guidance for URL validation, including edge cases like IPv6-mapped IPv4 addresses and URL parser differentials.

Conclusion

Your webhook endpoints are trust boundaries — they accept data from external systems and trigger internal actions. SSRF turns your server’s network position against you. In legal SaaS, where integrations with courts, payment systems, and opposing counsel are unavoidable, these attack surfaces cannot be eliminated — only hardened through signature verification, URL validation, network controls, and continuous monitoring.

Next episode: Browser Security Headers — where we’ll see how CORS misconfigurations and missing headers turn your client’s browser into an attack vector.

Alice: Welcome back to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 11 — Webhook Security and SSRF. Alice, webhooks — HTTP callbacks where an external service automatically sends your server a notification when an event occurs — are everywhere in modern SaaS. Payment confirmations, e-filing status updates, e-discovery notifications. What’s the security concern?

Alice: Every webhook endpoint is a door you’ve deliberately opened in your perimeter. You’re saying: external systems, please send me HTTP requests containing data I’ll act on. The two threats we’re covering today are — one, someone forging those inbound webhooks to trigger actions in your system. And two, SSRF — server-side request forgery — where an attacker tricks your server into making requests to places it shouldn’t.

Dan: Let’s start with SSRF. Give me the basic attack pattern.

Alice: Your server fetches URLs as part of its normal operation. Maybe it’s downloading a document referenced in a webhook, or validating a callback URL during integration setup. The attacker provides a URL that points to an internal resource — your cloud metadata endpoint, an internal admin panel, a database that’s only accessible within your VPC — your Virtual Private Cloud, the isolated private network your services run in. Your server fetches it happily because from its perspective, it’s just making an HTTP request.

Dan: And the most famous example of this going wrong?

Alice: Capital One, 2019. An SSRF vulnerability let an attacker query the AWS Instance Metadata Service at 169.254.169.254. That metadata endpoint — metadata being configuration data about the server itself — hands out temporary IAM credentials — Identity and Access Management keys that grant permissions to cloud resources — to any process on the instance. The attacker got those credentials and used them to exfiltrate 106 million customer records from S3 — Amazon’s cloud file storage service. A single SSRF. One hundred million records.

Dan: That’s why SSRF made the OWASP Top 10 — the Open Web Application Security Project’s list of the most critical web security risks, which we discussed in Episode 3 — as its own category in 2021.

Alice: Exactly. And for legal SaaS, the attack surface is particularly nasty because you can’t just block all outbound requests. Your system needs to talk to court e-filing APIs, payment processors, e-discovery platforms. Those integrations are the product.

Dan: So how do you defend against it?

Alice: Layers. At the application level — validate every URL before fetching. Resolve DNS — the Domain Name System that translates website names into IP addresses — check the resulting IP isn’t in private ranges — no 10.x, no 172.16-31.x, no 192.168.x, no 169.254.x, no localhost. Pin the resolved IP so a DNS rebinding attack can’t swap it between validation and connection. At the network level — egress firewall rules — egress meaning outbound traffic leaving your network — that only allow outbound connections to known-good CIDR ranges — CIDR being the notation for specifying blocks of IP addresses. At the cloud level — enable IMDSv2 — the newer version of the cloud Instance Metadata Service — on every instance, which requires a token that SSRF typically can’t obtain.

Dan: What’s DNS rebinding? That sounds like it bypasses the IP validation you just described.

Alice: It does, if you’re not careful. The attacker controls a DNS server. First lookup returns a public IP — passes your validation. Second lookup — when your server actually connects — returns 169.254.169.254 or whatever internal target they want. The fix is: resolve once, pin the IP, validate it, and connect to that specific IP address. Don’t let the DNS resolve again between check and use.

Dan: OK, now the other side — inbound webhook forgery. How do you verify a webhook is legitimate?

Alice: HMAC signature verification — HMAC stands for Hash-based Message Authentication Code, a way of computing a fingerprint of a message using a secret key so you can verify both who sent it and that nothing was tampered with. The sending platform and your system share a secret key, established during integration setup. Every webhook request includes a signature header — that’s the HMAC-SHA256 of the raw request body computed with the shared secret. You recompute the HMAC on your side and compare. If they match, the sender possessed the secret. Use constant-time comparison — meaning your code takes the same amount of time to respond whether the signature is almost right or completely wrong — to prevent timing attacks, where an attacker measures tiny differences in response time to guess the correct signature one character at a time.

Dan: And the timestamp piece?

Alice: Critical. Without timestamps, a valid webhook can be replayed forever. Stripe’s model is the gold standard — the timestamp is included in the signed payload, so it can’t be modified independently. You reject any webhook where the timestamp is more than five minutes from your server’s clock. That gives you a narrow window for network delays while preventing replay attacks.

Dan: What happens in legal tech specifically if webhook verification is missing?

Alice: Scenario one — your e-filing integration accepts unverified callbacks. An attacker sends a forged "filing accepted" notification for a document that was actually rejected by the court. The lawyer thinks their motion was filed. It wasn’t. They miss the deadline. Scenario two — payment processor webhooks. A forged "payment received" notification marks a retainer as funded when no money actually moved. The firm starts work on an unfunded matter.

Dan: Both of those are genuinely harmful. Not theoretical at all.

Alice: And scenario three — e-discovery. A notification arrives saying a production set is ready for download at a specific URL. If that URL is attacker-controlled, either your server fetches malicious content, or the request headers you send — which might include auth tokens — get captured by the attacker. That’s the SSRF connection. The webhook is the entry point; the outbound fetch is the exploit.

Dan: So the two threats are actually deeply connected.

Alice: Exactly. They compound each other. Unverified inbound webhooks can contain URLs that trigger SSRF when your server processes them. You need both controls — verify the webhook came from who it claims, and validate any URLs in the payload before fetching them.

Dan: What’s the practical implementation look like? Give me the checklist.

Alice: Five things. One — every webhook endpoint verifies HMAC signatures with constant-time comparison. Two — timestamps checked, reject anything outside a five-minute window. Three — idempotency keys — unique identifiers stored so replayed webhooks are detected and ignored. Four — any URL in a webhook payload goes through DNS resolution, IP validation, and egress allowlisting before your server fetches it. Five — log everything. Source IP, signature validity, processing result. When something goes wrong, the logs are how you reconstruct what happened.

Dan: And for teams building on cloud infrastructure?

Alice: IMDSv2 on every instance — non-negotiable. VPC egress rules restricting outbound traffic to known integration endpoints. And if you’re using a webhook delivery platform like Svix or a managed gateway, let it handle the signature verification infrastructure so your application code doesn’t have to reimplement crypto primitives.

Dan: Next episode we’re covering browser security headers — CORS, CSRF, CSP — the alphabet soup that protects your users’ browsers.

Alice: Where misconfigured headers turn your client’s browser into the attack vector. Until then, I’m Alice.

Dan: And I’m Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.