GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in Echo

Webhooks are essentially unauthenticated POST endpoints unless you implement cryptographic verification. In the Echo framework, failing to verify the source of a webhook allows an attacker to spoof events, bypass business logic, and inject malicious data. To secure them, you must implement HMAC signature verification using a shared secret and ensure constant-time comparisons to prevent timing attacks.

The Vulnerable Pattern

e.POST("/api/webhook", func(c echo.Context) error {
	var payload map[string]interface{}
	if err := c.Bind(&payload); err != nil {
		return err
	}
	// CRITICAL: No signature verification. 
	// Anyone can POST malicious data to this endpoint.
	processEvent(payload)
	return c.NoContent(http.StatusOK)
})

The Secure Implementation

The secure implementation follows three mandatory steps: 1. It extracts the raw request body before Echo's binder consumes it. 2. It calculates an HMAC-SHA256 hash of that raw body using a pre-shared secret. 3. It uses 'subtle.ConstantTimeCompare' to validate the provided signature against the calculated hash. This prevents timing attacks where an attacker could brute-force the signature byte-by-byte based on server response times.

e.POST("/api/webhook", func(c echo.Context) error {
	secret := []byte(os.Getenv("WEBHOOK_SECRET"))
	signature := c.Request().Header.Get("X-Hub-Signature-256")
	if signature == "" {
		return echo.ErrUnauthorized
	}

body, _ := io.ReadAll(c.Request().Body)
c.Request().Body = io.NopCloser(bytes.NewBuffer(body))

h := hmac.New(sha256.New, secret)
h.Write(body)
expectedMAC := "sha256=" + hex.EncodeToString(h.Sum(nil))

if subtle.ConstantTimeCompare([]byte(signature), []byte(expectedMAC)) != 1 {
	return echo.ErrUnauthorized
}

var payload map[string]interface{}
if err := c.Bind(&payload); err != nil {
	return err
}
processEvent(payload)
return c.NoContent(http.StatusOK)


})

System Alert • ID: 2621
Target: Echo API
Potential Vulnerability

Your Echo API might be exposed to Insecure Webhooks

74% of Echo apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X