Unsigned webhook callbacks and Svix bypasses
Clerk and Auth0 notify your backend application about user events (such as registration, login, and email updates) via webhook callbacks. If your webhook endpoint executes actions (like creating a database user record or granting credits) without validating the webhook signature, attackers can spoof these events:
// VULNERABLE Webhook endpoint handler: missing signature verification
app.post("/api/webhooks/clerk", async (req, res) => {
const event = req.body;
// Flaw: trusts client payload directly without signature checks
if (event.type === "user.created") {
await db.user.create({ data: { id: event.data.id, email: event.data.email_addresses[0].email_address } });
}
return res.status(200).send();
}); The Fix: Implement Clerk's or Auth0's cryptographic signature verification library. For Clerk, verify the Svix headers (svix-id, svix-timestamp, svix-signature) before parsing the payload:
// SECURE Webhook pattern using Svix verification
import { Webhook } from 'svix';
app.post("/api/webhooks/clerk", async (req, res) => {
const headers = req.headers;
const payload = req.rawBody; // Read raw payload to preserve signature byte-matching
const wh = new Webhook(process.env.CLERK_WEBHOOK_SECRET);
try {
const evt = wh.verify(payload, headers); // Throws if signature is invalid
// Proceed with verified event parsing...
} catch (err) {
return res.status(400).json({ error: "Invalid signature" });
}
}); Cognito: Insecure authentication flows and key settings
AWS Cognito User Pools provide authentication APIs. A common configuration mistake is enabling the ALLOW_ADMIN_USER_PASSWORD_AUTH flow on client-facing App Clients. This flow bypasses client secrets and allows any client to make administrator calls directly to Cognito, introducing brute-force vulnerabilities. Programmatic clients must use `ALLOW_USER_SRP_AUTH` to authenticate without sending passwords over the wire.
Auth0: JWT claims and audience checks
When Auth0 returns an Access Token, your backend must validate the signature using the JSON Web Key Set (JWKS) provided by Auth0 (located at https://YOUR_DOMAIN/.well-known/jwks.json). We audit your JWT verification middleware to ensure: (1) signatures are validated, (2) the issuer (iss) matches your Auth0 domain, and (3) the audience (aud) matches your API Identifier, preventing client-side tokens from being replayed against backend services.
Clerk webhook signature bypass leading to account creation
During a penetration test of a SaaS app, we identified a webhook route on /webhooks/clerk. The endpoint did not verify the Svix signature headers. We generated a synthetic JSON event payload containing a mock user ID and email address, and posted it to the route. The backend processed the request, creating an account with administrative permissions in the database. Fix priority: critical. Remediated by implementing Clerk Webhook verification.
Integrating Auth0, Clerk, or AWS Cognito? Schedule a third-party auth security review.
Book an Identity / IDaaS AuditFrequently asked questions
Why is a leaked client ID in Cognito or Auth0 not a security breach?
Client IDs are designed to be embedded in client-side applications (like mobile or web apps) to route authentication requests. The security relies on token signatures, client secrets (for confidential clients), and correct callback URI matching configurations.
How do you audit Clerk webhook configurations?
We verify if your endpoint checks the `svix` headers (svix-id, svix-timestamp, svix-signature) using Clerk's SDK, ensuring that attackers cannot spoof user events (like user.created or user.updated).
What is the security risk of AWS Cognito self-registration?
If self-registration is enabled without strict email/phone verification, attackers can automate account creation using synthetic details and access authorized API gateways.
Related reading
Blog: JWT token security mistakes · OAuth & OIDC audits · API data leaks
Services: API security testing · Secure architecture review