Event brite APi webhook security

281 views
Skip to first unread message

auzeb....@rallyteam.com

unread,
Jun 13, 2016, 4:17:10 PM6/13/16
to Eventbrite API
Hey,

I am looking to use webhooks to subscribe to actions about an event.

Is there any way to validate the webhook notification to ensure that the WebHook is indeed from the intended sender (eventbrite API), e.g GitHub includes an ‘X-Hub-Signature’ HTTP header with a hash of the request body which is checked by the receiver.

Thanks!
Auzeb

Eventbrite API

unread,
Jun 13, 2016, 5:03:59 PM6/13/16
to Eventbrite API
Hi Auzeb,

The request payload for one of our webhooks will look something like this:

{

  "api_url": "https://www.eventbriteapi.com/v3/orders/523502780/",

  "config": {

    "action": "order.placed",

    "endpoint_url": "http://yoururlhere.org/src/eventbrite.php",

    "user_id": "1548223516143",

    "webhook_id": "157236"

  }

}


The 'api_url' field should work for you.



auzeb....@rallyteam.com

unread,
Jun 13, 2016, 6:00:16 PM6/13/16
to Eventbrite API
Hey,

The api_url can be faked by some other malicious application as well since its a part of the request payload. What I am looking for is a way to ensure that it is a call from event brite API for security purposes.

Thanks!

Auzeb

mano...@alvarum.com

unread,
Sep 8, 2016, 11:13:34 AM9/8/16
to Eventbrite API
Hi,

I agree that this is not a valid solution to ensure that the request really come from Eventbrite.

Webhook callbacks usually lead to some update of data in the information system. So, we need to ensure in any way that the originator of the request is the expected one (aka Eventbrite).

One way to perform such a thing would be to be able to provide a basic authentication token when we setup a new webhook. This basic auth token would be then used each time a webhook callback is triggered by Eventbrite.

Kevin Cooper

unread,
Oct 10, 2016, 12:16:41 AM10/10/16
to Eventbrite API
well the webhook is just an event notification and doesnt really provide much data.

make sure you are only accessing the real api to pull down any updated data in response to the webhook and you should be all good.

it wont stop a DOS but at least you can ensure your data is correct.

Benjamin Roedell

unread,
Aug 22, 2024, 2:48:45 PM8/22/24
to Eventbrite Developers
Can we reduce the chances of a DOS by checking the source IP. For example, this article lists various IP addresses to be whitelisted https://www.eventbrite.com/help/en-us/articles/642937/did-my-email-send-invitations-order-confirmations-reminders/. Are these IP addresses the same ones from which webhook calls will come from? Can the list (or range) of IP addresses from which webhooks will come from be documented somewhere?
Reply all
Reply to author
Forward
0 new messages