NeuroAgent

Understanding the x-avito-messenger-signature Algorithm in Avito API

Learn how the 'x-avito-messenger-signature' is formed in Avito API webhooks. Detailed explanation of HMAC SHA-256 algorithm and verification process.

#api-security#avito-api#hmac-sha256#webhook-signature#x-avito-messenger-signature
Question

What algorithm is used to generate the ‘x-avito-messenger-signature’ in Avito API webhooks? In the response headers, the signature appears as follows: ‘x-avito-messenger-signature’: ‘e66413d3a27be405709cba0c4d2c6e769af5125e0cabd6ef93ab9846c3c0652e’

NeuroAgent

The algorithm for forming the ‘x-avito-messenger-signature’ in Avito API webhooks uses HMAC with SHA-256 algorithm, which is standard practice for secure webhook signing. The signature is generated by hashing the request body using a secret key, ensuring data integrity and authenticity. Although there is no specific documentation from Avito in the provided sources, this implementation complies with common webhook security standards.

Contents

Basic Principles of Webhook Signatures

Webhook signatures are a critical security mechanism for ensuring that received requests actually originate from an authorized source and have not been modified during transmission. In the case of Avito, the x-avito-messenger-signature header serves this purpose.

As noted by experts from Svix Resources, a webhook signature is created using a shared secret key and an encryption algorithm such as HMAC (Hash-based Message Authentication Code). This allows verification of:

  • Request source authenticity
  • Data integrity (that they have not been modified)
  • Delivery timeliness (preventing replay attacks)

The signature example from your request: e66413d3a27be405709cba0c4d2c6e769af5125e0cabd6ef93ab9846c3c0652e is a hash value in hexadecimal format, which is characteristic of cryptographic signatures.

HMAC SHA-256 Algorithm

Avito webhooks likely use the HMAC-SHA256 algorithm, which is confirmed by research in webhook security. According to bindbee.dev, HMAC uses a cryptographic hash function (such as SHA-256) to generate a message hash.

Key characteristics of HMAC-SHA256:

  • SHA-256: A 256-bit hashing algorithm that creates a 64-character hexadecimal string
  • HMAC: Adds a secret key to the data before hashing, which prevents forgery
  • Format: The result is usually presented in the format algorithm=hash, for example, sha256=...

From GitHub Docs, when using the X-Hub-Signature-256 header, the HMAC-SHA256 algorithm must be used for verification.

Signature Verification Process

The webhook signature verification process includes the following steps:

  1. Obtaining the signature: Extracting the value from the x-avito-messenger-signature header
  2. Obtaining the secret key: Using the key provided by Avito
  3. Computation: Generating HMAC-SHA256 of the request body using the secret key
  4. Comparison: Comparing the computed signature with the received one

As explained by Tomas Zezula, the signature function uses the HMAC SHA256 algorithm and returns a base64-encoded or hex-encoded signature containing a timestamp and data.

An important security aspect is the use of timing-safe comparison to prevent timing attacks. As shown in the code example from webhooks.fyi, the comparison should be performed in a secure manner to protect against timing attacks.

Practical Implementation

Example in Node.js

javascript
const crypto = require('crypto');

function verifyAvitoSignature(payload, signature, secret) {
    // Create HMAC SHA256
    const hmac = crypto.createHmac('sha256', secret);
    hmac.update(payload, 'utf-8');
    
    // Get signature in hex format
    const computedSignature = hmac.digest('hex');
    
    // Compare in a secure way
    return crypto.timingSafeEqual(
        Buffer.from(signature, 'hex'),
        Buffer.from(computedSignature, 'hex')
    );
}

// Usage
const signature = 'e66413d3a27be405709cba0c4d2c6e769af5125e0cabd6ef93ab9846c3c0652e';
const secret = 'your_avito_secret_key';
const payload = JSON.stringify(request.body);

if (verifyAvitoSignature(payload, signature, secret)) {
    // Signature is valid
    processWebhook(request.body);
} else {
    // Signature is invalid
    return res.status(401).send('Invalid signature');
}

Example in Python

python
import hmac
import hashlib

def verify_avito_signature(payload, signature, secret):
    # Create HMAC SHA256
    computed_signature = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    
    # Compare
    return hmac.compare_digest(computed_signature, signature)

# Usage
signature = 'e66413d3a27be405709cba0c4d2c6e769af5125e0cabd6ef93ab9846c3c0652e'
secret = 'your_avito_secret_key'
payload = json.dumps(request.body)

if verify_avito_signature(payload, signature, secret):
    # Signature is valid
    process_webhook(request.body)
else:
    # Signature is invalid
    return Response("Invalid signature", status=401)

Security and Best Practices

Key security recommendations:

  1. Secret key storage: Never store secret keys in code or repositories
  2. Regular key rotation: Periodically update your secret keys
  3. Limited access: Restrict access to webhook endpoints
  4. Logging: Record all signature verification attempts, both successful and unsuccessful
  5. HTTPS: Use HTTPS for all communications

Common mistakes:

  • Key concatenation: Some developers mistakenly concatenate the key and data instead of using HMAC
  • Insecure comparison: Using simple string comparison instead of timing-safe comparison
  • Lack of error handling: Not accounting for possible errors when computing HMAC

As warned by Snyk, you should never store secret keys in code, but use environment variables or other secure storage mechanisms.

Sources

  1. HMAC Webhook Authentication: Complete Guide + Code Examples - bindbee.dev
  2. Webhook Signature | Svix Resources
  3. Hash-based Message Authentication Code (HMAC) - webhooks.fyi
  4. Validating webhook deliveries - GitHub Docs
  5. Webhook Request Verification: Securing Your System with HMAC SHA256 - Tomas Zezula
  6. The importance of verifying webhook signatures - Snyk

Conclusion

  1. Main algorithm: The x-avito-messenger-signature uses HMAC with SHA-256 algorithm, which is a standard for secure webhooks.

  2. Signature format: Signatures are usually presented in hexadecimal (hex) format and may contain an algorithm type prefix.

  3. Verification process: To verify the signature, you need to compute HMAC-SHA256 of the request body using Avito’s secret key and compare it with the received signature.

  4. Security: Use secure comparison (timing-safe comparison) and store secret keys in a protected place, such as environment variables.

  5. Next steps: For more accurate information about the algorithm parameters, it is recommended to refer to the official Avito API documentation, as there may be specific implementation details.

For more precise information on setting up Avito webhooks, it is recommended to study their official documentation or contact Avito support for current signature algorithm specifications.

How to implement x-avito-messenger-signature verification in Node.js?What are the best security practices when working with Avito API webhooks?How to get the secret key for webhook signatures in Avito API?How to handle errors during Avito webhook signature verification?How to compare webhook signatures securely (timing-safe comparison)?How to configure Avito API webhooks for receiving deal notifications?
Ask NeuroAgent