### Vulnerability Overview This vulnerability involves the Webhook’s replay deduplication feature in the Zalo platform failing to properly isolate different authenticated targets. This may allow an attacker to bypass security mechanisms by crafting specific requests, resulting in unintended behavior. ### Impact Scope - **Affected Component**: Webhook processing logic of the Zalo platform. - **Potential Risk**: Attackers may exploit this vulnerability to conduct replay attacks, leading to data leakage or malicious system manipulation. ### Remediation Plan 1. **Code Modification**: - In the `monitor.webhook.ts` file, the `isReplayEvent` function has been modified to ensure that replay deduplication logic is independent for each authenticated target. - Specific changes include: - Using `$update.event_name` and `$update.message_id` as key values to ensure events from different targets do not interfere with each other. - Adding a check for `isReplayEvent` in the `handleZaloWebhookRequest` function to ensure only legitimate replay events are processed. 2. **Test Cases**: - Added a new test case `"handleZaloWebhookRequest"` to verify that replay deduplication logic is correctly isolated for different authenticated targets. - The test case created two distinct targets (`targetA` and `targetB`) and sent the same payload to each, ensuring their replay deduplication logic did not affect one another. ### POC Code ```typescript it("keeps replay dedupe isolated per authenticated target", async () => { const simA = vi.fn(); const simB = vi.fn(); const unregisterA = registerTarget({ path: "/hook-replay-scope", secret: "secret-a", statusSim: simA, }); const unregisterB = registerTarget({ path: "/hook-replay-scope", secret: "secret-b", statusSim: simB, account: { ...DEFAULT_ACCOUNT, accountId: "work", }, }); const payload = createTextUpdate({ messageId: "msg-replay-scope-1", userId: "123", userName: "", chatId: "123", text: "hello", }); await withServer(webhookRequestHandler, async (baseUrl) => { const first = await fetch(`${baseUrl}/hook-replay-scope`, { method: "POST", headers: { "x-bot-api-secret-token": "secret-a", "content-type": "application/json", }, body: JSON.stringify(payload), }); const second = await fetch(`${baseUrl}/hook-replay-scope`, { method: "POST", headers: { "x-bot-api-secret-token": "secret-b", "content-type": "application/json", }, body: JSON.stringify(payload), }); expect(first.status).toBe(200); expect(second.status).toBe(200); }); expect(simA).toHaveBeenCalledTimes(1); expect(simB).toHaveBeenCalledTimes(1); }); ``` ### Summary The fix ensures that the Zalo platform’s Webhook replay deduplication feature correctly isolates different authenticated targets, thereby preventing potential security risks.