Webhooks => X-Signature & Secret matching

Waebs · October 31, 2018, 5:37pm

Hi,

We can’t manage to match the X-Signature on our side.

Here is our method :

[HttpPost]
[Route(“settings/refresh”)]
public async Task RefreshSettingsAsync([FromHeader(Name = “X-Signature”)] string XSignature) {

        if (!XSignature.IsNotEmpty())
            return BadRequest("X-Signature missing");

        using (var reader = new StreamReader(Request.Body))
        {
            var body = reader.ReadToEnd();
            string hashedSecret = (AppSettings.Value.Data.AppSecretKey + body).Sha256Base64();
            if (hashedSecret != XSignature)
            {
                return BadRequest("Secrets are not matching");
            }
        }

        applicationLifetime.StopApplication();

        return Ok("App was restarted...");
    }

wich always returns hashedSecret != XSignature

How is computed the has on your side ?

Do you confirm : Base64(Sha256(RequestBody + Secret)) ?

Any help ?

I’m submitting a…

[ ] Regression (a behavior that stopped working in a new release)
[ x] Bug report
[ ] Performance issue
[ ] Documentation issue or request

Current behavior

Expected behavior

Minimal reproduction of the problem

Environment

[ ] Self hosted with version docker
[ ] Self hosted with IIS
[ ] Self hosted with other version
[x ] Cloud version

Browser:

[ ] Chrome (desktop)
[ ] Chrome (Android)
[ ] Chrome (iOS)
[ ] Firefox
[ ] Safari (desktop)
[ ] Safari (iOS)
[ ] IE
[ ] Edge

Others:

Sebastian · November 1, 2018, 8:28am

What I see is that you changed the order of the secret and the body.

This is my implementation:

github.com

Squidex/squidex/blob/master/extensions/Squidex.Extensions/Actions/Webhook/WebhookActionHandler.cs#L39




protected override (string Description, WebhookJob Data) CreateJob(EnrichedEvent @event, WebhookAction action)
{
    var requestBody = ToEnvelopeJson(@event);
    var requestUrl = Format(action.Url, @event);


    var ruleDescription = $"Send event to webhook '{requestUrl}'";
    var ruleJob = new WebhookJob
    {
        RequestUrl = Format(action.Url.ToString(), @event),
        RequestSignature = $"{requestBody}{action.SharedSecret}".Sha256Base64(),
        RequestBody = requestBody
    };


    return (ruleDescription, ruleJob);
}


protected override async Task<(string Dump, Exception Exception)> ExecuteJobAsync(WebhookJob job)
{
    using (var httpClient = httpClientFactory.CreateClient())
    {

Can you share your Sha256Base64 method ?

github.com

Squidex/squidex/blob/072901080103d77f6482a9e88c561b6ef9a8136c/src/Squidex.Infrastructure/RandomHash.cs#L21




namespace Squidex.Infrastructure
{
public static class RandomHash
{
    public static string New()
    {
        return Guid.NewGuid().ToString().Sha256Base64().Replace("+", "x");
    }


    public static string Sha256Base64(this string value)
    {
        using (var sha = SHA256.Create())
        {
            var bytesValue = Encoding.UTF8.GetBytes(value);
            var bytesHash = sha.ComputeHash(bytesValue);


            var result = Convert.ToBase64String(bytesHash);


            return result;
        }

Waebs · November 1, 2018, 11:44am

My method is exactly the same as yours. I even made a test with a copy from your code. I still have different hashs…
That’s weird !

Sebastian · November 1, 2018, 11:46am

One thing that was definitely different is:

(AppSettings.Value.Data.AppSecretKey + body).Sha256Base64()

vs

$"{requestBody}{action.SharedSecret}".Sha256Base64(),

so hash and body are concatenated in different orders.

Waebs · November 1, 2018, 3:56pm

Solved !
String + string !== $(string string)
Good to know.

Sebastian · November 2, 2018, 7:48am

Really? Is it not the order that is the problem? Have you tested

(body + AppSettings.Value.Data.AppSecretKey).Sha256Base64()