0
0
Rest APIprogramming~20 mins

Webhook signature verification in Rest API - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Webhook Signature Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the output of this HMAC signature verification code?

Given the following Python code snippet that verifies a webhook signature, what will be printed?

Rest API
import hmac
import hashlib

secret = b'supersecret'
payload = b'{"order_id":1234}'
signature = '5f4dcc3b5aa765d61d8327deb882cf99'

computed = hmac.new(secret, payload, hashlib.sha256).hexdigest()

if hmac.compare_digest(computed, signature):
    print("Signature valid")
else:
    print("Signature invalid")
ASignature valid
BSyntaxError
CTypeError
DSignature invalid
Attempts:
2 left
💡 Hint

Check if the given signature matches the computed HMAC SHA256 digest.

🧠 Conceptual
intermediate
1:30remaining
Which hashing algorithm is best for webhook signature verification?

When verifying webhook signatures, which hashing algorithm is recommended for security and integrity?

AMD5
BSHA256
CBase64
DSHA1
Attempts:
2 left
💡 Hint

Consider modern security standards and collision resistance.

🔧 Debug
advanced
2:30remaining
What error does this webhook signature verification code raise?

Examine the following JavaScript code snippet for verifying a webhook signature. What error will it raise when run?

Rest API
import crypto from 'crypto';

const secret = 'topsecret';
const payload = JSON.stringify({ id: 42 });
const signature = 'abcdef123456';

const hmac = crypto.createHmac('sha256', secret);
hmac.update(payload);
const digest = hmac.digest('hex');

if (digest === signature) {
  console.log('Valid signature');
} else {
  console.log('Invalid signature');
}

// Now try to call hmac.update(payload) again
hmac.update(payload);
AReferenceError: crypto not defined
BNo error, prints 'Invalid signature'
CTypeError: Digest already called
DSyntaxError
Attempts:
2 left
💡 Hint

Check if the crypto HMAC object can be reused after calling digest().

📝 Syntax
advanced
2:00remaining
Which Python code snippet correctly verifies a webhook signature?

Choose the option that correctly verifies a webhook signature using HMAC SHA256 in Python.

Ahmac.compare_digest(hmac.new(secret, payload, hashlib.sha256).hexdigest(), signature)
Bhmac.new(secret, payload, hashlib.sha256).hexdigest() == signature
Chmac.new(secret, payload, hashlib.sha256).digest() == signature
Dhmac.compare_digest(hmac.new(secret, payload, hashlib.sha256).digest(), signature)
Attempts:
2 left
💡 Hint

Consider the difference between digest() and hexdigest(), and how to safely compare signatures.

🚀 Application
expert
1:30remaining
How many valid webhook signatures are possible with a 256-bit HMAC?

Assuming a webhook uses an HMAC with SHA256 producing a 256-bit signature, how many unique valid signatures can exist?

A2^256
B2^128
C2^512
D2^64
Attempts:
2 left
💡 Hint

Think about the output size of SHA256 in bits and how many unique outputs it can produce.