Expected Findings
- Webhook accepts events without `Stripe-Signature` headers.
- Signature comparison uses `==` and is timing-attackable.
- Webhook secret is the same in test and production.
Webhook Receiver
Webhook Unverified
The Stripe webhook handler skips signature verification when the header is missing and uses `==` comparison when it is present.
Forge event
Primary Flows
- Stripe webhook POST event without signature
- GitHub webhook POST event with weak HMAC
- Webhook config Shows shared secret
Signals
Check
if (sig && sig == expected) ok(); else ok(); // missing == valid