HARmor Cleans, Sanitizes, Encrypts HAR Files

To help developers and support teams secure HTTP Archive files from unauthorized access, Frontegg has released HARmor, an open source tool to sanitize HAR files.

HAR files are widely used by developers and support teams to debug network issues, analyze website performance, and investigate security vulnerabilities in Web applications. HAR files log all Web interactions the browser has with a site, such as the URLs of visited pages, timing of each request, response status codes, headers, cookies, and even contents of the pages. HAR files can also contain session tokens, API keys, passwords, and other sensitive data. In addition, these files are useful for simulating network traffic and testing how Web pages respond.

The amount of data stored in HAR files makes them potential "treasure troves" for cybercriminals to use in account takeover, session hijacking, and customer support infiltration attacks, says Amir Jaron, Frontegg's vice president of R&D.

The fact that HAR files contain sensitive data that needs to be protected became evident with Okta's recent disclosure that a threat actor had been able to view these files, which had been uploaded to the company's support case management system. These files contained session tokens, which the attacker used to impersonate several valid Okta customers. In response, Okta revoked embedded session tokens and reevaluated the way HAR files are handled.

"In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it," Okta CSO David Bradbury wrote in the disclosure.

Okta support, like many other organizations, rely on HAR files when troubleshooting customer issues, so the fact that the files were updated to the case management system was not unusual. In fact, Frontegg recognized very quickly that its own business operations were at risk if threat actors were targeting HAR files, Jaron says. Okta's breach underscored the "critical necessity" of securing HAR files in order to maintain user trust.

"The potential grave consequences for business reputation and customer trust are of great concern to technical support organizations and customers who depend on them," Jaron wrote in a post announcing HARmor.

Since not using HAR files was not an option for Frontegg, the company needed to figure out a way to clean and sanitize data in these files. Once the Frontegg team figured out the mechanics for HARmor, it made sense to open source the tool in order to help other technical support organizations and developers facing the same risks.

HARmor provides a range of cleaning and sanitization capabilities. HARmor can detect and scrub sensitive information, such as cookies, passwords, authorization headers, and query parameters. HARmor can also remove JSON body keys, sanitize files based on URLs, and remove JWT signatures. Users can use HARmor to trim unnecessary data from the file, reducing the amount of information being stored. After sanitizing the HAR file, HARmor then encrypts it so that even if the file falls into the wrong hands, the contents are still protected.

HARmor operates in two modes: Direct Sanitization or Template mode. Direct Sanitization mode presents users with a structured questionnaire to review each data point and decide whether it needs to be sanitized. In Template mode, users can define their own standards in a JSON file, which is particularly useful in order to consistently apply sanitization rules to cookies, headers, and other data patterns specific to the business, according to Jaron.

These templates can also be shared with other users through the HARmor repository on GitHub, allowing them to benefit from work already done to develop sanitization rules.

"This community-driven approach does not just improve the tool but fosters an ecosystem of collective security responsibility," Jaron wrote.