• caglararli@hotmail.com
  • 05386281520

API Client Secrets are Being Logged in Plaintext (PowerShell Logs)

Çağlar Arlı      -    13 Views
22Tem

API Client Secrets are Being Logged in Plaintext (PowerShell Logs)

I'm currently implementing a PowerShell script to call the Sophos API (https://developer.sophos.com/intro).

Write-Output "`nEnter the Sophos API key / client secret."
$ClientSecret = Read-Host -AsSecureString
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($ClientSecret)
$TheClientSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")
    
$body = "grant_type=client_credentials&client_id=aaaaaaaa-bbbb-cccc-dddd-ffffffffffff&client_secret=$TheClientSecret&scope=token"
    
$response = Invoke-RestMethod 'https://id.sophos.com/api/v2/oauth2/token' -Method 'POST' -Headers $headers -Body $body -ErrorVariable RespErr
$response | ConvertTo-Json

I decided to use bogus client secrets to test if they were being logged in the Windows Event Viewer. (Our environment uses PowerShell Script Block Logging and Module Logging.) It turns out that they were being logged (Event ID 4103):

ParameterBinding(Invoke-RestMethod): name="Headers"; value="System.Collections.Generic.Dictionary`2[System.String,System.String]" ParameterBinding(Invoke-RestMethod): name="Body"; value="grant_type=client_credentials&client_id=aaaaaaaa-bbbb-cccc-dddd-ffffffffffff&client_secret=plaintextclientsecretuhoh&scope=token" ParameterBinding(Invoke-RestMethod): name="Uri"; value="https://id.sophos.com/api/v2/oauth2/token"

Now, I realize that you need administrator privileges to view these logs (UPDATE: Actually, it looks like Event ID 800 logs the same client secret, and non-administrators can view that)--however, our logs are being ingested by a 3rd party SOC, so we'd rather not have them viewing plaintext client secrets (and passwords or encryption keys, for that matter).

Is there any way that we can securely construct API requests--with client secrets--in PowerShell which aren't logged in plaintext?

Son Yazılar

Son Yorumlar