SShortSingh.
Back to feed

Webhook Replay Attacks Can Grant Duplicate Entitlements Without Idempotency Checks

0
·1 views

A single valid webhook event delivered multiple times can trigger duplicate entitlement grants if handlers rely solely on signature verification without idempotency controls. Signature verification confirms a payload is authentic but does not determine whether it has already been processed, meaning five replays of the same signed webhook can produce five separate access grants. A teaching example called ShipTested demonstrates this vulnerability by replaying one signed order webhook five times, resulting in five entitlements instead of one. The fix introduces a stable event key derived from the event name, order type, and order ID, ensuring subsequent deliveries of the same event are treated as no-ops. Developers are cautioned that the in-memory demonstration is not production-safe, as atomic database operations and multi-instance coordination are required for real-world deployments.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Next.js 16 brings Turbopack default, new caching APIs, and faster builds

Next.js 16 launched in October 2025, followed by three minor updates through June 2026, introducing several significant changes for web developers. Turbopack, a Rust-based bundler, replaced Webpack as the stable default for both development and production builds, requiring no manual configuration on upgrade. The release also introduced a 'use cache' directive that makes caching boundaries explicit in code, along with two new Server Action APIs — updateTag() and refresh() — for more precise cache and data management. Build performance improved through persistent disk caching of compiler artifacts, reducing cold-start times on large projects, while a Rust port of the React Compiler arrived as an experimental feature in version 16.3. Routing and prefetching were also optimised, with layout deduplication and incremental prefetching significantly reducing network transfer overhead during page navigation.

0
ProgrammingDEV Community ·

CustodyTrac Builds Court-Ready Co-Parenting App With Tamper-Proof Audit Trails

A developer building CustodyTrac.com, a co-parenting management platform, has detailed how designing for courtroom use fundamentally changes standard software architecture decisions. Unlike typical applications, the platform treats deletion as a liability, instead archiving all records with cryptographic fingerprints to ensure nothing can be retroactively altered. Every user interaction — from viewing a message to declining an expense — is timestamped and logged in an immutable audit trail, replacing disputed verbal accounts with objective, exportable records. The platform also offers read-only access links for attorneys and mediators, reducing administrative overhead and enabling real-time visibility into co-parenting disputes. CustodyTrac has been made permanently free, with the developer citing equitable access to legal tools as a core reason behind the decision.

0
ProgrammingDEV Community ·

How to Build a Scalable Live Scoreboard Without Hammering Your Backend

Designing a live scoreboard requires separating static data, such as fixtures and team names, from dynamic data like scores and match incidents, as each type demands different caching and update strategies. Treating all sports data fields as requiring real-time freshness is a common mistake that can make high-traffic match endpoints expensive and unreliable. A more scalable architecture has the backend store the latest match state in a cache and push updates to clients via WebSockets or server-sent events, rather than letting every client poll the API directly. Sports data can also be retroactively corrected, so user interfaces should be built to handle update and cancellation events gracefully. Reviewing a data provider's documentation and delivery model before designing cache and update logic is recommended for anyone building a live sports product.

0
ProgrammingDEV Community ·

Developer hides 90-frame animation inside a single JPEG file using progressive scans

On July 17, 2026, developer Maurycy published a technique that exploits progressive JPEG scans to embed dozens of distinct images into a single .jpg file, creating an animation-like effect during download. The method requires no video codecs, JavaScript, CSS, or containers like MP4 — it relies solely on an obscure JPEG standard detail where each scan can overwrite pixels drawn by the previous one. Browsers like Chrome render up to approximately 90 scans before halting, while Firefox tolerates even more, determining how many frames can be displayed. Playback speed cannot be controlled and depends entirely on network conditions, since each frame appears as the browser progressively downloads the file. Maurycy demonstrated the trick using a "Bad Apple" meme clip and published the source code merge.c alongside a single-page interactive app at badapple.rose.systems.