![]() Access the Apps section of your Slack account and add the App " Incoming WebHooks" from the Slack App Directory. See Sending messages using Incoming WebHooks.įollow these steps to locate the correct incoming WebHook URL so that your Ubidots Slack Event can be delivered reliably to the correct Slack channel.ġ. The Incoming WebHooks App is a simple way to post messages from Ubidots into Slack.įollow the simple steps below to configure Slack events in order to keep your team informed.Ī Slack Account, with Incoming WebHooks option enabled. To configure Slack events from your Ubidots Apps does require a small integration using the Incoming WebHooks App which is powered by Slack. I can make the test much better by sending it to broader channels (like general), crafting the message better, etc, but this was just a simple test to prove a point, not a bug bounty hunt.Sending notifications and updates via Slack will keep you and your co-workers informed on-time. Using this method, one can achieve over 100% phishing success per message, since every single message could be read by dozens (or thousands) of slack users on the other side.Our guide to Getting Started with incoming webhooks will walk you through the process of enabling this functionality in a Slack app. Users can define which actions/or entries trigger alerts. Because we strongly recommend you do not use legacy custom integrations anymore, you should instead use the similar feature in Slack apps. The Slack webhook alerts users via a message in Slack when an entry is changed in Contentful. Slack doesn’t have a built-in anti-phishing solution, so be wary if your workspace has external users or open webhooks. Incoming webhooks are a simple way to post messages from apps into Slack.Slack webhooks ARE A SECRET - treat them as one!.Now, there are several lessons from this little experiment: Slack V2 Next Generation uses a V3 Webhook Subscription and comes with. Now I sat and waited, and no less than 10 minutes - I started getting hits - mostly from the User-Agent “Slack-ImgProxy (+ )" which seems to trigger every time the message is opened by the user’s slack app.Ħ hours in (not much) I had over 200 hits from the above UA - meaning many saw my awkward message which was sent to a non-critical channel - “random”.Īnd … 31 users clicked the link in less than 24 hours! Jackpot (and debate settled) Slack + PagerDuty Integration Benefits Incident response capabilities within. Ok, so 61% success rate at step1 - sending the message, not bad. Sampling 158 (~quarter) of those webhooks I found, I tried sending the above obvious bait message to a channel I guessed would exist - “random”: +-+-+-+ | Response code | Message | # | +-+-+-+ | 200 | ok | 94 | | 404 | no_team | 17 | | 404 | channel_not_found | 15 | | 404 | no_active_hooks | 12 | | 410 | channel_is_archived | 10 | | 403 | invalid_token | 6 | +-+-+-+ ![]() On the other side, this is what the users will see I wrote a simple script to send my bait: import json import requests import logging FORMAT = '%(asctime)s %(message)s' logging.basicConfig(filename='test.log', level=logging.INFO, format=FORMAT) db = "sites.txt" lines = open(db).readlines() # Other ideas: general, announcements, random channel_name = "random" id = 1 for url in lines: id = id + 1 url = url.strip() payload = r = requests.post(url, data=json.dumps(payload)) ('%s, %s, %d, %s, %s, %s', db, url, id, channel_name, r.status_code, r.text) In 30 minutes of searches in some search engines, github, pastebin (etc) I collected over 600 unique slack webhooks “ \d+/B\d+/+“ Slack allows you to define a webhook without a channel or a team associated with it - leaving it for you to define… never trust a stranger. My idea to settle the debate was simple - find a webhook, use it to send a “phishing” message, and see if it’s being opened. I assume phishing will not skip over this communication medium. This is especially troubling considering everyone in my workspace (employee or not) can send me private messages if we are on the same channel. Since we also do customer support over slack, the security of this medium has always troubled me. I had this debate with a colleague the other day, and while slack has something official to say about it, I thought the best way to settle the debate would be with a real live example.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |