GuardAPI Logo
GuardAPI

Fix Insecure Webhooks in FuelPHP

Webhooks are often the weakest link in your API's perimeter. In FuelPHP, failing to verify the payload signature allows attackers to spoof events, leading to unauthorized state changes or logic bypasses. If your endpoint doesn't validate the source via a cryptographic handshake, it's a wide-open door for exploitation.

The Vulnerable Pattern

class Controller_Webhook extends Controller {
    public function post_receive() {
        // VULNERABLE: Direct consumption of POST data without origin verification
        $data = Input::post();
        $order_id = $data['id'];
        $status = $data['status'];

    $order = Model_Order::find($order_id);
    $order->status = $status;
    $order->save();

    return $this->response(['status' => 'success']);
}


}

The Secure Implementation

The vulnerability stems from trusting the HTTP POST body implicitly. To secure the webhook: 1. Fetch the raw request body using Input::body() instead of Input::post() to ensure the data hasn't been modified by Fuel's internal sanitization before verification. 2. Retrieve the provider's signature from the headers. 3. Calculate a local HMAC using a shared secret key. 4. Use PHP's hash_equals() for constant-time comparison, which mitigates timing side-channel attacks that could otherwise leak the signature byte-by-byte.

class Controller_Webhook extends Controller {
    public function post_receive() {
        $signature = Input::headers('X-Webhook-Signature');
        $payload = Input::body(); // Get raw body for hash consistency
        $secret = \Config::get('app.webhook_secret');

    if (!$signature || !$payload) {
        return $this->response(['error' => 'Unauthorized'], 401);
    }

    // Compute HMAC-SHA256 using the shared secret
    $computed = hash_hmac('sha256', $payload, $secret);

    // Use hash_equals to prevent timing attacks
    if (!hash_equals($signature, $computed)) {
        return $this->response(['error' => 'Invalid signature'], 403);
    }

    $data = json_decode($payload, true);
    // Proceed with business logic on verified data...
    return $this->response(['status' => 'verified']);
}


}

System Alert • ID: 7493
Target: FuelPHP API
Potential Vulnerability

Your FuelPHP API might be exposed to Insecure Webhooks

74% of FuelPHP apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X