Bitbucket Webhook Signature
Service Name: Bitbucket
Service Description: Bitbucket is a Git-based source code repository hosting service owned by Atlassian. It offers both commercial plans and free accounts with an unlimited number of private repositories.
Service Address: https://bitbucket.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the workspace level through IP allowlists in Bitbucket Cloud Premium.
Secret Access Scope: Webhook signatures are used to verify that webhook payloads sent to your server are genuinely from Bitbucket. They don't grant access to Bitbucket resources but help secure webhook integrations.
Secret Revokement URL: https://bitbucket.org/workspace/workspace/settings/webhooks/
Secret Example: v1=a67d4ca0b48eaed73850d712a346f722d95914d6f7be12091bce8c0c9130040d
Suspicious Activity Investigation Instructions:
- Review webhook delivery logs in your Bitbucket workspace settings.
- Check your application logs for unexpected webhook events or failed signature validations.
- Verify if there are any unauthorized changes to webhook configurations in your Bitbucket repositories.
- Monitor for unusual repository activities that might be triggering webhooks.
- Examine your server logs for webhook requests with invalid signatures.
Mitigation Instructions:
- Navigate to your Bitbucket workspace settings.
- Go to the Webhooks section.
- Find and delete the compromised webhook or update its secret.
- Create a new webhook with a new secret if needed.
- Update your application to use the new webhook secret.
- Consider implementing IP restrictions for webhook deliveries if available.
- Review and update your security practices for storing webhook secrets.
- Ensure webhook secrets are stored securely and not exposed in code repositories.