Webhooks — HTTP callbacks that notify your application of events in external systems (payment confirmations, order updates, CI/CD triggers) — are frequently under-secured. Testing covers: webhook signature verification (does your application validate that webhooks genuinely come from the claimed source?), replay attack prevention (can old webhooks be re-sent to trigger duplicate actions?), webhook endpoint authentication, payload validation (is webhook data trusted without sanitisation?), and idempotency (does your application handle duplicate webhook deliveries safely?).
Technical
API Webhook Security: Verifying Callback Authenticity and Preventing Spoofing para empresas lusófonas
Webhooks deliver event notifications to your application. If not properly secured, attackers can spoof webhooks to manipulate your system. Guidance for PT market.