You already found one. We'll help you find the other five.
Unverified webhook handlers are rarely alone. The same “trust req.body without verifying signatures” pattern shows up across Stripe, Clerk, GitHub, Resend, SendGrid, Supabase — anywhere you accept a webhook. XploitScan finds all of them in a single scan.
The pattern, simplified
AI coding tools generate the happy path. You ask for “add Stripe payments” or “set up Clerk webhook” and you get a working handler that readsreq.body, checksevent.type, and does the thing.
What the generator skips: verifying the signature header against the payload with the webhook secret. Without that check, an attacker just needs to know the URL and can send you whatever event they want.
The attack is a single curl command. Real payments work fine, your dashboard looks fine, and you don't notice until someone on Reddit writes about it or your margins cave in.
Providers we check signature verification for
Stripe
signature verified?
Clerk
signature verified?
GitHub
signature verified?
Resend
signature verified?
SendGrid
signature verified?
Supabase
signature verified?
Shopify
signature verified?
Twilio
signature verified?
PayPal
signature verified?
If you're using a provider we don't yet cover, email us and we'll add it within 48 hours.
The fix is usually 4 lines
For Stripe it's stripe.webhooks.constructEvent(rawBody, signature, secret) wrapped in a try/catch that returns 400 on failure, plus switching from express.json() to express.raw(). XploitScan shows you the exact fix for every vulnerable handler it finds.
Scan your webhook handlers now
Free, no signup, no install. Drop your repo and get a signed-or-not verdict on every webhook endpoint in under five seconds.