# Credential Exfiltration via User-Controlled Endpoint - ID: javascript-webhook-credential-exfiltration - Severity: CRITICAL - CWE: CWE-201 (CWE-201) - Languages: JavaScript, TypeScript - Frameworks: express, fastify, nodejs, nextjs, nestjs, koa, hapi ## Description Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```javascript // User controls 'endpoint' from request const endpoint = req.body.webhookUrl; // Server sends its internal API key to attacker-controlled URL await fetch(endpoint, { headers: { 'X-API-Key': process.env.INTERNAL_API_KEY } }); ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint. ## Detection Message User input from {source} controls the destination of an HTTP request at {sink}. If credentials are included in the request headers or body, attackers can exfiltrate them by providing a malicious endpoint URL. ## Remediation 1. Never send internal credentials to user-controlled endpoints 2. Validate webhook URLs against a strict allowlist of trusted domains 3. Use webhook secrets for authentication instead of sending API keys ```javascript // SAFE: Validate webhook URL against allowlist const ALLOWED_WEBHOOK_DOMAINS = ['api.slack.com', 'hooks.stripe.com']; const webhookUrl = new URL(req.body.webhookUrl); if (!ALLOWED_WEBHOOK_DOMAINS.includes(webhookUrl.hostname)) { return res.status(400).json({ error: 'Untrusted webhook domain' }); } // SAFE: Use webhook-specific secret, not internal API key await fetch(webhookUrl, { headers: { 'X-Webhook-Secret': req.body.webhookSecret } }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-201/credential-exfiltration ## Documentation [object Object] ## Related Rules - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: