Hello, welcome to the Thursday, December 2, 2021 edition of the Sansonet Stormsendors Stormcast. My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida. A lot of modern web applications are using webhooks.

Now, a webhook, simply speaking, is a web application that you're setting up that receives requests, and then you have other applications that basically send data to your webhook to trigger certain behavior.

For example, if there's an update on routing for a package or whatever, that application could send a request to a webhook

that will then notify a user.

Of course, if you are writing software that is sending data to webhooks, well, you need a way

to test it.

There is a real nice free service, webhook.side.

All you have to do is go to that website and will

automatically set you up with a free URL that you can use as a target for your requests and

will then basically display the data it received. But like any simple free service, it is being abused. And that's something that Xavier talked about

today in his diary. He came across some malware, the hazard token crapper, that will essentially

use webhook.com site order to exfiltrate data.

All you need, of course, on the Malvers end here is a simple post request that sent whatever

data you would like to exfiltrate to that custom URL provided at webhook.side.

And with that, you're able to exfiltrate arbitrary data. I'm not even

sure what the upload limit is here. There's probably some kind of limit. But in this particular

case, it really sort of just exfiltrates some data items, like, for example, the identity of the

computer,

but also things like passwords and cookies,

so probably not more than a few kilobytes.

Well, from a defensive point of view,

...