How to fix Insecure Webhooks
in Salvo
Executive Summary
Webhooks are the soft underbelly of modern APIs. In Salvo, failing to verify the origin of a webhook payload is a critical flaw that allows attackers to inject arbitrary events, bypass billing, or trigger unauthorized workflows. If you aren't validating HMAC signatures, your application is effectively trusting any POST request from the open internet as a legitimate command.
The Vulnerable Pattern
use salvo::prelude::*;#[handler] async fn handle_webhook(req: &mut Request, res: &mut Response) { // VULNERABILITY: Implicit trust of the request body. // An attacker can forge this JSON to trigger internal logic. let payload = req.parse_json::<serde_json::Value>().await.unwrap();
println!("Processing untrusted event: {:?}", payload); res.render("Event Processed");
}
The Secure Implementation
The fix implements cryptographic origin verification using HMAC-SHA256. Instead of immediately parsing the JSON, we intercept the raw request payload. We use a shared secret (stored in environment variables, never hardcoded) to compute a hash of the body. We then compare this hash against the signature provided in the request headers (e.g., X-Hub-Signature-256). If they do not match, the request is rejected with a 401 Unauthorized, preventing 'Webhook Spoofing' attacks.
use salvo::prelude::*; use hmac::{Hmac, Mac}; use sha2::Sha256; use hex;type HmacSha256 = Hmac
; #[handler] async fn handle_webhook(req: &mut Request, res: &mut Response) { let secret = std::env::var(“WEBHOOK_SECRET”).expect(“SECRET NOT SET”); let signature = req.headers().get(“X-Hub-Signature-256”).and_then(|v| v.to_str().ok());
// Read raw body for verification before parsing let body = req.payload().await.unwrap_or_default(); let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).expect("HMAC can take key of any size"); mac.update(body); let result = mac.finalize().into_bytes(); let expected_sig = format!("sha256={}", hex::encode(result)); match signature { Some(sig) if sig == expected_sig => { // Only now is it safe to parse and process let payload: serde_json::Value = serde_json::from_slice(body).unwrap(); res.render(format!("Verified: {}", payload["id"])); } _ => { res.status_code(StatusCode::UNAUTHORIZED).render("Invalid Signature"); } }
}
Your Salvo API
might be exposed to Insecure Webhooks
74% of Salvo apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.