Introducing HAR Sanitizer: secure HAR sharing

Created on November 12, 2023 at 10:31 am

5 min TIME read

On Wednesday, October 18th, DATE

2023 DATE , Cloudflare ORG ’s Security Incident Response Team ORG (SIRT) discovered an attack on our systems that originated from an authentication token stolen from one CARDINAL of Okta ORG ’s support systems. No Cloudflare customer information or systems were impacted by the incident, thanks to the real-time detection and rapid action of our Security Incident Response Team ORG (SIRT) in tandem ORG with our Zero Trust ORG security posture and use of hardware keys. With that said, we’d rather not repeat the experience — and so we have built a new security tool that can help organizations render this type of attack obsolete for good.

The bad actor in the Okta LOC breach compromised user sessions by capturing session tokens from administrators at Cloudflare ORG and other impacted organizations. They did this by infiltrating Okta ORG ’s customer support system and stealing one of the most common mechanisms for troubleshooting — an HTTP Response Archive ( HAR ORG ) file.

HAR ORG files contain a record of a user’s browser session, a kind of step-by-step audit, that a user can share with someone like a help desk agent to diagnose an issue. However, the file can also contain sensitive information that can be used to launch an attack.

As a follow-up to the Okta breach, we are making a HAR ORG file sanitizer available to everyone, not just Cloudflare ORG customers, at no cost. We are publishing this tool under an open source license and are making it available to any support, engineering or security team. At Cloudflare ORG , we are committed to making the Internet a better place and using HAR ORG files without the threat of stolen sessions should be part of the future of the Internet.

HAR Files PRODUCT – a look back in time

Imagine being able to rewind time and revisit every single step a user took during a web session, scrutinizing each request and the responses the browser received.

HAR ORG (HTTP Archive) files are a JSON formatted archive file of a web browser’s interaction with a web application. HAR ORG files provide a detailed snapshot of every request, including headers, cookies, and other types of data sent to a web server by the browser. This makes them an invaluable resource to troubleshoot web application issues especially for complex, layered web applications.

The snapshot that a HAR ORG file captures can contain the following information:

Complete Request and Response Headers: Every piece of data sent and received, including method types (GET, POST, etc.), status codes, URLs, cookies, and more.

Payload Content: Details of what was actually exchanged between the client and server, which can be essential for diagnosing issues related to data submission or retrieval.

Timing Information: Precise timing breakdowns of each phase – from DNS ORG lookup, connection time, SSL ORG handshake, to content download – giving insight into performance bottlenecks.

This information can be difficult to gather from an application’s logs due to the diverse nature of devices, browsers and networks used to access an application. A user would need to take dozens CARDINAL of manual steps. A HAR ORG file gives them a one CARDINAL -click option to share diagnostic information with another party. The file is also standard, providing the developers, support teams, and administrators on the other side of the exchange with a consistent input to their own tooling. This minimizes the frustrating back-and-forth where teams try to recreate a user-reported problem, ensuring that everyone is, quite literally, on the same page.

HAR ORG files as an attack vector

HAR ORG files, while powerful, come with a cautionary note. Within the set of information they contain, session cookies make them a target for malicious actors.

The Role of Session Cookies

WORK_OF_ART Before diving into the risks, it’s crucial to understand the role of session cookies. A session cookie is sent from a server and stored on a user’s browser to maintain stateful information across web sessions for that user. In simpler terms, it’s how the browser keeps you logged into an application for a period of time even if you close the page. Generally, these cookies live in local memory on a user’s browser and are not often shared. However, a HAR ORG file is one of the most common ways that a session cookie could be inadvertently shared.

Dangers of a stolen session cookie

If a HAR ORG file with a valid session cookie is shared, then there are a number of potential security threats that user, and company, may be exposed to:

Unauthorized Access: The biggest risk is unauthorized access. If a HAR ORG file with a session cookie lands in the wrong hands, it grants entry to the user’s account for that application. For platforms that store personal data or financial details, the consequences of such a breach can be catastrophic. Especially if the session cookie of a user with administrative or elevated permissions is stolen.

Session Hijacking: Armed with a session cookie, attackers can impersonate legitimate users, a tactic known as session hijacking. This can lead to a range of malicious activities, from spreading misinformation to siphoning off funds.

Persistent Exposure: Unlike other forms of data, a session cookie’s exposure risk doesn’t necessarily end when a user session does. Depending on the cookie’s lifespan, malicious actors could gain prolonged access, repeatedly compromising a user’s digital interactions.

Gateway to Further Attacks: With access to a user’s session, especially an administrator’s, attackers can probe for other vulnerabilities, exploit platform weaknesses, or jump to other applications.

Mitigating the impact of a stolen HAR ORG file

Thankfully, there are ways to render a HAR ORG file inert even if stolen by an attacker. One CARDINAL of the most effective methods is to “sanitize” a HAR ORG file of any session related information before sharing it for debugging purposes.

The HAR ORG sanitizer we are introducing today DATE allows a user to upload any HAR ORG file, and the tool will strip out any session related cookies or JSON Web Tokens ( JWT ORG ). The tool is built entirely on Cloudflare Workers ORG , and all sanitization is done client-side which means Cloudflare ORG never sees the full contents of the session token.

Just enough sanitization

By default, the sanitizer will remove all session-related cookies and tokens — but there are some cases where these are essential for troubleshooting. For these scenarios, we are implementing a way to conditionally strip “just enough” data from the HAR ORG file to render them safe, while still giving support teams the information they need.

The first ORDINAL product we’ve optimized the HAR ORG sanitizer for is Cloudflare Access ORG . Access relies on a user’s JWT ORG — a compact token often used for secure authentication — to verify that a user should have access to the requested resource. This means a JWT ORG plays a crucial role in troubleshooting issues with Cloudflare Access ORG . We have tuned the HAR ORG sanitizer to strip the cryptographic signature out of the Access JWT ORG , rendering it inert, while still providing useful information for internal admins and Cloudflare ORG support to debug issues.

Because HAR ORG files can include a diverse array of data types, selectively sanitizing them is not a case of ‘ one CARDINAL size fits all’. We will continue to expand support for other popular authentication tools to ensure we strip out “just enough” information.

What’s next

Over the coming months DATE , we will launch additional security controls in Cloudflare Zero Trust ORG to further mitigate attacks stemming from session tokens stolen from HAR ORG files. This will include:

Enhanced Data Loss Prevention (DLP) file type scanning to include HAR ORG file and session token detections, to ensure users in your organization can not share unsanitized files.

Expanded API CASB scanning to detect HAR ORG files with session tokens in collaboration tools like Zendesk ORG , Jira, Drive ORG and O365.

Automated HAR ORG sanitization of data in popular collaboration tools.

As always, we continue to expand our Cloudflare One Zero Trust PRODUCT suite to protect organizations of all sizes against an ever-evolving array of threats. Ready to get started? Sign up here to begin using Cloudflare One PRODUCT at no cost for teams of up to 50 CARDINAL users.

Connecting to Connected... Page load complete