CRITICALCWE-345Payment Security
Razorpay Webhook Without Signature Verification
Description
Your Razorpay webhook endpoint does not verify the webhook signature, allowing attackers to forge payment events.
How Vezraa Detects It
We check your webhook endpoint's response to a forged payload. If it returns 200 without verifying, we flag it.
Real-World Impact
Attackers can send fake payment-success events and gain access to paid features, digital goods, or subscriptions without paying.
Fix Example
const crypto = require('crypto');
const expected = crypto
.createHmac('sha256', RAZORPAY_WEBHOOK_SECRET)
.update(JSON.stringify(req.body))
.digest('hex');
if (expected !== req.headers['x-razorpay-signature']) {
return res.status(400).send('Invalid signature');
}Affected Stacks
RazorpayNext.jsExpress