Webhook Abuse in Feathersjs with Basic Auth

FeathersJS is a framework for building REST and real-time APIs. When webhooks are configured in a FeathersJS service, the framework can trigger external HTTP callbacks based on events such as created, updated, or patched. If these webhooks rely solely on Basic Auth for authentication and are exposed to unauthenticated endpoints, the API’s unauthenticated attack surface can be abused.

Basic Auth transmits credentials in an HTTP header that is base64-encoded, not encrypted. When a FeathersJS webhook is defined to use Basic Auth without additional protections, an attacker who can influence or observe the webhook request may attempt credential theft or replay. Because the scan tests unauthenticated endpoints, it can detect whether a webhook-triggered endpoint accepts requests without requiring a prior authenticated session, and whether Basic Auth credentials are embedded in client-side code or logs.

An example misconfiguration: a FeathersJS service registers a webhook that calls an external endpoint with Basic Auth headers, but the service itself does not enforce authentication on the initiating endpoint. This can allow unauthenticated actors to trigger event flows that cause the webhook to fire repeatedly, leading to credential exposure through logs, or to elicit unintended actions at the webhook destination if the external endpoint has weaker authorization controls.

During a scan, middleBrick checks whether webhook-related endpoints are reachable without authentication and whether credentials are at risk of exposure. The LLM/AI Security checks specifically probe for system prompt leakage and prompt injection that might occur if an attacker manipulates inputs that reach logging or error-reporting mechanisms tied to webhook handling. Findings will indicate whether authentication is missing, whether Basic Auth is used without transport protection, and whether sensitive data could be exfiltrated through error messages or logs.

To secure webhooks in FeathersJS while using Basic Auth, ensure that the initiating endpoints require authentication and that credentials are never exposed to clients or logs. Use server-side hooks to validate sessions and to inject credentials securely when calling external webhook targets.

Below is a concrete example of a FeathersJS service hook that adds Basic Auth headers to an outgoing webhook request only after verifying that the request is authenticated. The example uses the @feathersjs/authentication and @feathersjs/express packages.

// src/hooks/webhook-auth.hook.js
const axios = require('axios');
const { AuthenticationError } = require('@feathersjs/errors');

module.exports = function webhookAuthHook(options = {}) {
  return async context => {
    const { params } = context;
    // Ensure there is an authenticated user
    if (!params.user) {
      throw new AuthenticationError('Unauthenticated context');
    }

    const userCredentials = {
      username: process.env.WEBHOOK_USER,
      password: process.env.WEBHOOK_PASS
    };

    // Only store base64 auth on the server; never send to client
    const authHeader = 'Basic ' + Buffer.from(
      `${userCredentials.username}:${userCredentials.password}`
    ).toString('base64');

    try {
      await axios.post(options.webhookUrl, context.result || context.data, {
        headers: {
          Authorization: authHeader,
          'Content-Type': 'application/json'
        },
        timeout: 5000
      });
    } catch (error) {
      // Do not leak credentials in error logs
      context.app.log.error('Webhook delivery failed:', error.message);
      // Consider retry strategies or alerts without exposing credentials
    }

    return context;
  };
};

In your service definition, apply the hook to secure operations:

// src/services/triggers/triggers.service.js
const hooks = require('./triggers.hooks');
const webhookAuth = require('../hooks/webhook-auth.hook');

module.exports = function (app) {
  const options = {
    name: 'triggers',
    paginate: { default: 10, max: 25 }
  };

  // Initialize service with options
  app.use('/triggers', require('feathers-sequelize')(options));
  const service = app.service('triggers');

  service.hooks({
    before: {
      create: [hooks.validateTrigger, webhookAuth]
    }
  });
};

Additionally, enforce transport security by requiring HTTPS for any external webhook URL and avoid storing credentials in environment variables that are exposed to logs or error traces. Rotate credentials regularly and scope them to the minimal permissions required by the webhook consumer. middleBrick’s Basic Auth checks can help identify whether credentials are being transmitted insecurely or whether unauthenticated endpoints can trigger authenticated flows.

When scanning a FeathersJS API that uses Basic Auth for webhooks, middleBrick’s authentication checks verify whether endpoints properly require credentials. The BOLA/IDOR and Property Authorization checks assess whether object-level permissions are enforced. Input Validation confirms that parameters used to construct webhook URLs are not open to injection or manipulation. If webhook-triggered endpoints are reachable without authentication, findings will highlight the missing auth requirement and flag the use of Basic Auth over unencrypted channels.

The LLM/AI Security checks are relevant if webhook handling involves logging or error reporting that could expose system prompts or sensitive data. These checks probe for prompt injection risks and system prompt leakage that might occur through verbose error messages tied to webhook failures.

Findings include prioritized guidance: require authentication before triggering webhooks, use HTTPS for all external targets, avoid embedding credentials in responses, and ensure that logs do not capture Authorization headers. Remediation guidance references secure hook patterns and credential rotation.