Buck­le Up

You might know that I – with the generous help from Brandon Kelly on the Craft 5 version – wrote and maintain a Webmention plugin for Craft CMS. Today, I shipped version 1.3.0. It’s a security and abuse hardening release, and if you’re running the plugin, you should upgrade.

The backstory of this one is, at least to me, kind of interesting.

Back in March, I added a new feature to the plugin: a Failed Webmentions view in the Craft control panel. The reason was simple. Building a Webmention endpoint that both sends and receives reliably is genuinely hard. There’s a lot of sifting through specs and documentation involved. You have to handle a wide range of markup flavours, work around different interpretations of microformats, and add fallbacks for all the times when somebody didn’t implement something the way you’d expect, the parser falls over, and you still want to recover gracefully. The whole thing is supposed to follow the robustness principle: be conservative in what you send, be liberal in what you accept. And to me, Webmentions have always felt a bit like a black box. Rough and uncharted territory.

As it turns out, adding the Failed Webmentions view was a pretty good idea.

Because what it revealed was this: unlike a few years ago, when nobody outside our little corner of the Web really knew about Webmentions, bad actors have caught up. They’ve started probing the endpoint.

I first noticed it on my way to IndieWebCamp Düsseldorf, the weekend before beyond tellerrand, while looking for something to work on at the Sunday coding session. I opened the Failed Webmentions view – and was flabbergasted. (What a great word, by the way. 😁)

Line after line of automated probing, with the fingerprints of tools like sqlmap all over it:

• Time-based blind SQL injection in every flavour of database – MySQL sleep(15), PostgreSQL pg_sleep, Oracle DBMS_PIPE.RECEIVE_MESSAGE, MSSQL WAITFOR DELAY – stuffed into the source field, the target field, sometimes both at once.
• Boolean payloads like -1' OR 5*5=25 -- and the more elaborate -1' OR 2+99-99-1=0+0+0+1.
• Double-URL-encoded escape characters like %2527%2522\'\", fingerprinting how my input filter decodes things.
• Classic XSS patterns: random tokens trailed by <'"> to see if anything would reflect back.

And the sheer volume of it! One short sentinel had been retried against a single note 693 times. Another, 451. Most of these were never going to work. Craft itself is a really secure CMS – Pixel & Tonic have put a lot of care into sensible defaults: parameterized queries, output escaping, CSRF protection, all the foundation work that means a stray apostrophe in an input field won’t take you anywhere interesting. But the plugin layer still is mine, and I’d rather not rely solely on the framework catching things downstream.

So I sat down and hardened the plugin. I completed a few small fixes at the IndieWebCamp and a few more over the last couple of days. URLs are now validated at both ends – when they’re stored and when they’re rendered – so anything that isn’t http:// or https:// is rejected outright, along with whitespace, embedded credentials, illegal hosts, and anything longer than 2048 characters. The public endpoint now has a per-IP rate limit, configurable with a sensible default, and a failure-backoff threshold so that the same broken or malicious source/target pair doesn’t get retried forever. Identical submissions arriving within a five-minute window are deduplicated at the controller of the plugin, so a flood can’t amplify outbound HTTP fetches. There’s also a new trustedSourceHosts setting that lets a host like brid.gy bypass the rate limit, so a viral wave of mentions through Bridgy doesn’t get dropped on a busy day. I might add a few more exceptions over time.

Again, if you are using the plugin in production, I recommend you update the plugin as soon as possible. Although I am not aware of any successful exploits, it will definitely harden your setup. And if you run into any issues, let me know or open an issue.

We are now living in wild times when it comes to infosec. Earlier this year, I wrote about how my site was being hammered into oblivion by LLM crawlers, to the point where I had to move to a VPS and harden the whole setup. Two weeks ago, Bastian shipped a security release for Kirby CMS that really challenged the small team. And every week there’s a new round of advisories, vulnerable dependencies, and reports landing in the inboxes of maintainers.

A lot of this has to do with LLMs getting more capable, month after month. The whole offensive playbook – recon, payload generation, evasion, writing custom tooling – is getting cheaper to run. The bad actors are using Opus 4.7, too.

So if you maintain a small plugin, an open endpoint, client websites, or your own little corner of the Web: time to buckle up and secure your stuff.

~