Microsoft Teams webhook false verification

[atkinchris]

TruffleHog Version

$ trufflehog --version
trufflehog 3.72.0

Bug also present in enterprise version.

Expected Behavior

The revoked Microsoft Teams webhook should not have been shown as verified.

Actual Behavior

The revoked Microsoft Teams webhook was shown as verified.

Steps to Reproduce

1. Create a Microsoft Teams webhook, and put the webhook URL in a file.
2. Scan the file with TruffleHog. Observe a (correctly) verified result.
3. Delete the webhook through Microsoft Teams.
4. Scan the file with TruffleHog. Observe an erroneous verified result.

Additional Context

The test in TruffleHog's detector sends an empty message to the webhook, and declares the result verified if Microsoft respond saying that text is required. However, this response is the same for both valid and revoked webhook URLs.

trufflehog/pkg/detectors/microsoftteamswebhook/microsoftteamswebhook.go

Lines 99 to 101 in 08b6f90

	if strings.Contains(string(body), "Text is required") {
	return true, nil
	}

I suspect Microsoft's payload validation is now happening before the webhook destination is validated. Sending a request with a message (even an empty string) to a revoked webhook, correctly returns a 404 error with the below text.

Webhook message delivery failed with error: Microsoft Teams endpoint returned HTTP error 404

However, sending a non-empty message to a Microsoft Teams webhook is a mutative action. If the webhook is valid, a message will be produced on the channel.