Can a webhook carry an HMAC? | Community
Skip to main content
A
Anonymous
September 6, 2018
Solved

Can a webhook carry an HMAC?

  • September 6, 2018
  • 1 reply
  • 2921 views

I'd like to have an outbound webhook hit a REST API endpoint in such a way that doesn't leave the API vulnerable to modified content or replay attacks. In other contexts, I'm making stateless requests to the API with an HMAC signature. Is there any chance I could do something similar in a Marketo webhook?

Thanks!

Adam

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman

No, webhooks cannot automatically carry a signature. You can of course gateway through another layer that does the signing -- but then the connection to that layer could in theory be able hijacked.

1 reply

SanfordWhiteman
SanfordWhitemanAccepted solution
New Participant
September 6, 2018

No, webhooks cannot automatically carry a signature. You can of course gateway through another layer that does the signing -- but then the connection to that layer could in theory be able hijacked.

A
Anonymous
September 6, 2018

Thanks, Sanford. Are there any other recommendations out there for how to authenticate a webhook more securely than including static credentials in a header or payload?

SanfordWhiteman
SanfordWhiteman
New Participant
September 6, 2018

You could create a time-sensitive hash using another webhook (on another endpoint, thus not exactly the same as the gateway idea). Then, triggering on the Data Value Changes on that hash field, pass that hash along with the second webhook call.

Again, though, that initial connection could -- across the wide world of theoretical attacks -- be compromised.

If you're deeply concerned that the SSL connection between your Marketo instance and your endpoint will be hijacked and decrypted for a replay attack, maybe webhooks aren't right for you? There's a certain level of connection-level confidence one needs to have to use 'hooks, or the Marketo REST API for that matter (which doesn't sign payloads), or the SFDC sync (uses a permanent password+token), or the Marketo UI (auth codes are effectively in-band, as they're retrieved on the same machine that initiated the login, so if you can hijack one you can hijack the other)...

Terms & ConditionsAccessibility statement

Loading footer...