Glossary

Replay attack

A replay attack re-sends a captured, validly-signed request to trigger its effect again. Credicorp defends against it with a signed timestamp and a 5-minute tolerance on webhooks.

2 min read

Definition

In a replay attack, an attacker captures a legitimate signed request and re-transmits it later. Because it was genuinely signed, a naive verifier accepts it. Credicorp includes the timestamp inside the HMAC and rejects anything outside a 300-second window, so a stale replay fails verification. Pair that with idempotency on the event id and a replay is harmless even within the window.

Frequently asked questions

How does the timestamp stop replays?

It is signed, so it cannot be altered, and old timestamps are rejected. A captured request goes stale within five minutes. See signature verification.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.