Skip to content

Slack Webhook URL

Service Name: Slack

Service Description: Slack is a business communication platform offering many IRC-style features, including persistent chat rooms (channels) organized by topic, private groups, and direct messaging. Webhooks are a simple way to post messages from external sources into Slack.

Service Address: https://slack.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the workspace level through Enterprise Grid plans, not directly on webhook URLs.

Secret Access Scope: Grants the ability to post messages to a specific Slack channel without requiring authentication beyond possession of the webhook URL.

Secret Revokement URL: https://slack.com/apps/manage/custom-integrations

Secret Example: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX

Suspicious Activity Investigation Instructions:

  • Review the Slack channel for unexpected or unauthorized messages.
  • Check the webhook configuration in Slack to see when it was created and by whom.
  • Review the Slack audit logs (available on paid plans) for webhook creation and usage.
  • Examine your application logs to identify where and when the webhook URL might have been exposed.
  • Check for any public code repositories or documentation that might contain the webhook URL.

Mitigation Instructions:

  • Navigate to your Slack workspace settings.
  • Go to "Apps and Integrations" or "Custom Integrations".
  • Find the webhook integration that's been compromised.
  • Click "Delete" or "Revoke" to invalidate the webhook URL.
  • Create a new webhook URL if the integration is still needed.
  • Update all legitimate applications to use the new webhook URL.
  • Review your code and configuration files to ensure webhook URLs are not hardcoded or stored insecurely.
  • Consider using environment variables or secure secret management solutions to store webhook URLs.