I scanned 50 random Stripe-integrated apps. 31% had webhook endpoints accepting unsigned requests. Anyone could fake a `payment_intent.succeeded` event and trigger your fulfillment pipeline.
charge.succeeded events triggering free product shipments, replay-attack double-credits, race conditions on payment_intent.created.Find webhook endpoints accepting unsigned requests, replay attacks, and missing signature verification. — and bots are scraping for misconfigurations of this exact class continuously. The cost of a breach is your customer trust + (often) regulatory disclosure. The cost of an audit is $99.
I've shipped open-source security auditors for Supabase, PocketBase, Appwrite, Hasura, Firebase. Each is MIT-licensed. The Stripe Webhook auditor follows the same playbook: active probe, not metadata inference. Source on GitHub.
What credentials do you need? The minimum read-only set required to enumerate the misconfiguration class. Specifics depend on stack — for Stripe webhooks, your webhook endpoint URL + signing secret (read-only); for S3, an IAM key with s3:ListAllMyBuckets + s3:GetBucketPolicy; for GitHub Actions, a PAT with repo:read.
Will you keep the credentials? No. Used only for the audit run. Deleted from my machine after delivery. Rotate after if you want.
What if you find nothing? Money-back. I've never run this on a project that's been live more than 6 months and found zero issues, but if it happens to you, you don't pay.
I'd rather just use the open-source tool. Go ahead — https://github.com/Perufitlife/stripe-webhook-security. The $99 saves you the install + interpretation + writing the executive summary for your team.