Detectify
Knowledge Base

Back to Knowledge Base

Support Center

How to set up your integration with a webhook

Last Updated: Jun 08, 2017 09:51AM CEST

Setting up your integration with a webhook allows you to post alerts directly to any application supporting webhooks. Here's how to set it up:

1. Head over to your Detectify dashboard and select your scan profile, then click on Settings and Integrations where you can find the webhook card. Expand the card and enter your webhook endpoint into the field called webhook endpoint.

2. Optionally you can fill out the secret key for creating a message signature (see Message Signature below)
3. Select which notification types you are interested in receiving and click
Save settings.

4. That's it! Next time you start a test and Detectify finds something that matches your settings, a POST message will be sent to your webhook.

 

How to consume a Detectify webhook

The webhook messages are sent using POST request to the endpoint specified by the subscription. All messages are in JSON format.

The following types or messages are available:

  • event_scan_started: Indicates a scan was started.
  • event_scan_finished: Indicates a scan was finished.​
  • event_finding_high: Indicates the scan found a high-level vulnerability (CVSS 6 and up)​
  • event_finding_medium: Indicates the scan found a medium level vulnerability (between CVSS 3 and 6)​

Limits

There are limitations to the number of messages sent out in order to not flood the remote endpoint.

  • Per scan limit: limits the number of finding messages per scan. The limit is 100.
  • Per finding limit: limits the number of finding messages per finding type (e.g. SQL injection). The limit is 10.
 

Message signature

To enable identification of messages sent by the Detectify, a signature is written to each message using the X-Detectify-Signature header. The signature is a hash value using the keyed-hash message authentication code (HMAC) with the SHA-256 compression function. The secret key specified for the subscription is used for the encryption. For secret key use of a random string with high entropy is suggested.

In short: HMAC_SHA256({secret key}, {message content}) = {X-Detectify-Signature value}

The signature is omitted if the secret key is not specified for the subscription.

Scan started
Contains the domain (domain) and the report URL for the scan (report_url).
Example message:
{
 "type": "event_scan_started",
 "domain": "my.domain",
 "report_url": "https://detectify.com/report/00000000000000000000000000000000/ffffffffffffffffffffffffffffffffffffffff"
} 

Scan finished
Contains the domain (domain), the report URL for the scan (report_url) and the number of finding in the three categories (critical_findings, medium_findings, notice_findings).
Example message:
{
 "type": "event_scan_finished",
 "domain": "my.domain",
 "report_url": "https://detectify.com/report/00000000000000000000000000000000/ffffffffffffffffffffffffffffffffffffffff",
 "critical_findings": 1,
 "medium_findings": 2,
 "notice_findings": 4
}

Finding
Contains information about findings, including vulnerability title (title), severity (severity), CVSS score (cvss_score). domain (domain), report URL for the finding (finding_url) and additional information in the form of tags (tags).
Example message:
{
 "type": "event_finding_high",
 "domain": "my.domain",
 "cvss_score": 6.2,
 "severity": "high",
 "title": "Login Cross Site Request Forgery (CSRF/XSRF)",
 "finding_url": "https://detectify.com/report/00000000000000000000000000000000/ffffffffffffffffffffffffffffffffffffffff/00000000-0000-0000-0000-000000000000",
 "tags": [ "new" ]
}

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete