GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Insecure Webhooks
in Dart Frog

Executive Summary

Insecure webhooks are a prime target for SSRF and unauthorized action execution. If your Dart Frog endpoint processes incoming webhooks without signature verification, an attacker can spoof payloads to manipulate your internal state or trigger sensitive workflows. To secure this, you must implement HMAC-SHA256 verification using a shared secret to ensure the request originated from a trusted provider.

The Vulnerable Pattern

VULNERABLE CODE
import 'package:dart_frog/dart_frog.dart';

Future onRequest(RequestContext context) async {
// VULNERABLE: No signature verification. Anyone can POST here.
final payload = await context.request.json();
await _processOrder(payload[‘order_id’]);
return Response.json(body: {‘status’: ‘success’});
}

The Secure Implementation

The secure implementation extracts the raw bytes of the request body before any JSON parsing. It then computes an HMAC-SHA256 hash using a shared secret and compares it against the signature provided in the headers (e.g., GitHub's 'x-hub-signature-256'). By verifying the signature before processing the data, you ensure payload integrity and authenticity. Note: Always use the raw request body for hashing to avoid discrepancies caused by JSON formatting or encoding variations.

SECURE CODE
import 'dart:convert';
import 'package:crypto/crypto.dart';
import 'package:dart_frog/dart_frog.dart';

Future onRequest(RequestContext context) async {
final request = context.request;
final signature = request.headers[‘x-hub-signature-256’];
final bodyBytes = await request.bodyBytes();
final secret = ‘SUPER_SECRET_TOKEN’;


if (signature == null) return Response(statusCode: 401);


final hmac = Hmac(sha256, utf8.encode(secret));
final expectedSignature = ‘sha256=${hmac.convert(bodyBytes)}’;


// Security Note: In production, use a constant-time comparison to prevent timing attacks
if (signature != expectedSignature) {
return Response(statusCode: 403);
}


final payload = jsonDecode(utf8.decode(bodyBytes));
await _processOrder(payload[‘order_id’]);
return Response.json(body: {‘status’: ‘verified’});
}

System Alert • ID: 5269
Target: Dart Frog API
Potential Vulnerability

Your Dart Frog API might be exposed to Insecure Webhooks

74% of Dart Frog apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X