Twilio Security Scanner: Audit and Harden Your Twilio Configs in Seconds

by ddos · Published · Updated

Twilio Security Scanner

A security scanning tool for Twilio accounts that helps detect misconfigurations and security risks, including:

  • Public serverless functions and assets
  • Unencrypted HTTP webhooks in phone numbers and messaging services
  • API keys older than 90 days

This tool is useful for DevOps, Security Engineers, and compliance teams looking to audit their Twilio configurations for security best practices.

Output

The scanner checks for several security concerns:

Serverless Functions and Assets

  • Lists all public functions and assets
  • Outputs URLs and paths for each public endpoint
  • Saves findings to CSV if specified with -o flag

Webhook Security

  • Identifies phone numbers using unencrypted HTTP webhooks
  • Checks messaging services for unencrypted HTTP URLs
  • Reports both primary and fallback URLs using HTTP

API Key Age

  • Identifies API keys older than 90 days
  • Reports key names for rotation

Trusted Apps

  • Lists all trusted connect applications
  • Shows count of connected applications

CSV Output

When using the -o flag, the scanner will save public serverless findings to a CSV file with:

  • Type (Function/Asset)
  • URL
  • Path
  • SID
  • Service Name – The friendly name of the Twilio service containing this function/asset
  • Service SID – The unique identifier of the service

Remediation Steps

Public Functions and Assets

If the scanner finds public functions or assets, you can:

  1. Locate the function/asset in the Twilio Console using the provided service name
  2. Navigate to: Console → Functions and Assets → Services → [Service Name]
  3. Review the function/asset visibility settings
  4. Change visibility from “Public” to “Protected” if the endpoint should not be publicly accessible
  5. Consider implementing authentication for endpoints that need controlled access

Note: Making a function/asset protected will require valid Twilio credentials to access it.

Note about Deployment State: Functions and assets can exist in two states:

  • Saved but not deployed: Even if marked as “public”, they are not accessible until deployed
  • Deployed: Will be publicly accessible if marked as “public”

Unencrypted HTTP Webhooks

For webhooks using HTTP instead of HTTPS:

  1. Update all webhook URLs to use HTTPS
  2. Ensure your webhook endpoints support HTTPS
  3. Update both primary and fallback URLs

Old API Keys

For API keys older than 90 days:

  1. Create new replacement API keys
  2. Update applications to use the new keys
  3. Revoke the old keys after confirming all systems are working

Install & Use

Tags: API SecurityComplianceDevOps ToolsMisconfiguration Detectionsecurity scannerTwilioWebhook Security