Slack Webhook URL
Service Name: Slack
Service Description: Slack is a business communication platform offering many IRC-style features, including persistent chat rooms (channels) organized by topic, private groups, and direct messaging. Webhooks are a simple way to post messages from external sources into Slack.
Service Address: https://slack.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the workspace level through Enterprise Grid plans, not directly on webhook URLs.
Secret Access Scope: Grants the ability to post messages to a specific Slack channel without requiring authentication beyond possession of the webhook URL.
Secret Revokement URL: https://slack.com/apps/manage/custom-integrations
Secret Example: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
Suspicious Activity Investigation Instructions:
- Review the Slack channel for unexpected or unauthorized messages.
- Check the webhook configuration in Slack to see when it was created and by whom.
- Review the Slack audit logs (available on paid plans) for webhook creation and usage.
- Examine your application logs to identify where and when the webhook URL might have been exposed.
- Check for any public code repositories or documentation that might contain the webhook URL.
Mitigation Instructions:
- Navigate to your Slack workspace settings.
- Go to "Apps and Integrations" or "Custom Integrations".
- Find the webhook integration that's been compromised.
- Click "Delete" or "Revoke" to invalidate the webhook URL.
- Create a new webhook URL if the integration is still needed.
- Update all legitimate applications to use the new webhook URL.
- Review your code and configuration files to ensure webhook URLs are not hardcoded or stored insecurely.
- Consider using environment variables or secure secret management solutions to store webhook URLs.