{"id":9924,"date":"2019-09-24T00:00:23","date_gmt":"2019-09-23T23:00:23","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?post_type=knowledge_series&#038;p=9924"},"modified":"2022-09-24T16:12:18","modified_gmt":"2022-09-24T15:12:18","slug":"addressing-harbor-registry-vulnerability-with-42crunch","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/addressing-harbor-registry-vulnerability-with-42crunch\/","title":{"rendered":"Addressing Harbor Registry Vulnerability with 42Crunch"},"content":{"rendered":"<p class=\"mentions-texteditor__content\">Hot from the press! There is a <a href=\"https:\/\/unit42.paloaltonetworks.com\/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097\/\">mass assignment<\/a> vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list.<\/p>\n<p>A6 is described in the OWASP API Security Top 10 as:<\/p>\n<blockquote>\n<p class=\"p1\"><em>An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering the sensitivity and the exposure level of these properties. This could allow an attacker to update object properties that they should not have access to.<\/em><\/p>\n<\/blockquote>\n<p>As mentioned in the CVE report, this is exactly what happened. The API, written in Go, directly decodes the data sent to the API like this:<\/p>\n<p><strong>if err := ua.DecodeJSONReq(&amp;user); err != nil<br \/>\n<\/strong><\/p>\n<p>The User object contains the following:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11546\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2019\/09\/word-image-18.png\" alt=\"\" width=\"656\" height=\"328\" srcset=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2019\/09\/word-image-18.png 656w, https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2019\/09\/word-image-18-300x150.png 300w\" sizes=\"(max-width: 656px) 100vw, 656px\" \/><\/p>\n<p>The key here is the <strong>HasAdminRole<\/strong> element: if a hacker can set this to true, it&#8217;s basically Game Over. Harbor is an open source project , we therefore have access to the <a href=\"https:\/\/github.com\/goharbor\/harbor\/blob\/master\/src\/common\/models\/user.go\">source code<\/a>. The developers did a good job on the documentation here, which gives us the JSON property name to set (<strong>has_admin_role<\/strong>).<\/p>\n<h2 class=\"mentions-texteditor__content\">How to prevent with the 42Crunch platform ?<\/h2>\n<p class=\"mentions-texteditor__content\">You can use the 42Crunch platform to stop such attacks by defining an OpenAPI based allowlist: only what is in the defined schema will get accepted.<\/p>\n<p>In order to build the ultimate allowlist, you can use the <a href=\"https:\/\/apisecurity.io\/tools\/audit\/\"><strong>Audit<\/strong><\/a> service to analyze your API definition and give you an audit score, which indicates the security quality of your OpenAPI file.<\/p>\n<ul>\n<li>If the operation <em>POST \/api\/users<\/em> had no JSON schema, we would have flagged that as a major issue.<\/li>\n<li>If a schema has been defined but poorly (no patterns, no min, no max, <strong>additionalProperties<\/strong> allowed), we would have flagged that too.<\/li>\n<\/ul>\n<p>Once the score is satisfactory, you can use <strong>directly<\/strong> the OpenAPI file to configure our API firewall.\u00a0 Imagine you have defined the JSON schema for <strong>POST \/api\/users<\/strong> to be:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11547\" src=\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2019\/09\/JSONSchema-300x213-1.jpeg\" alt=\"\" width=\"300\" height=\"213\" \/><\/p>\n<p>At runtime, a call such as the following would work just fine:<\/p>\n<pre>POST \/api\/users\r\n\r\n{\r\n  \"username\": \"newuser\",\r\n  \"email\": \"myemail@foo.com\",\r\n  \"realname\": \"myname\",\r\n  \"password\": \"Password1\\u0021\",\r\n  \"comment\": \"null\"\r\n}<\/pre>\n<p>However, posting the following would be blocked automatically, since it does not conform to the schema:<\/p>\n<pre>{\r\n  \"username\": \"newuser\",\r\n  \"email\": \"myemail@foo.com\",\r\n  \"realname\": \"myname\",\r\n  \"password\": \"Password1\\u0021\",\r\n  \"comment\": \"null\",\r\n  \"has_admin_role\": true\r\n}<\/pre>\n<h2>What else can we do ?<\/h2>\n<p>The schema above is actually quite poor. It does not describe the format of the data. As an example, the email is defined as a string. Instead it should be defined like this:<\/p>\n<pre>\"email\": {\r\n   \"type\": \"string\",\r\n   \"minLength\": 15,\r\n   \"maxLength\": 50,\r\n   \"pattern\": \"^([a-zA-Z0-9_\\\\\\\\-\\\\\\\\.]+)%40([a-zA-Z0-9_\\\\\\\\-\\\\\\\\.]+)\\\\\\\\.([a-zA-Z]{2,5})$\"\r\n },\r\n ...\r\n \"required\": [\r\n   \"username\",\r\n   \"email\",\r\n   ...\r\n ]\r\n<\/pre>\n<p>If the email property is specified as above, not only do we ensure the email is present, we also validate the string in the request against the given pattern as well as minimal and maximal lengths, closing the door on attacks such as injections or overflows.<\/p>\n<p>If you want to see how we would protect your APIs, <a href=\"https:\/\/42crunch.com\/request-demo\/\">request a demo now<\/a>!<\/p>\n<p><em>For news on all things API &#8211; visit <a href=\"https:\/\/apisecurity.io\/\">APIsecurity.io<\/a>! Sign up for the weekly newsletter and try our <a href=\"https:\/\/apisecurity.io\/tools\/audit\/\">security audit<\/a> for free!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":11336,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Protect your APIs against the Harbor registry vulnerability","_seopress_titles_desc":"Harbor registry mass assignment vulnerability explained and how to protect against it using the 42Crunch API Security Platform.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[16,25,15],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/9924"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=9924"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/9924\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11336"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=9924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=9924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=9924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}