search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
293 stars 91 forks source link

HTTP 400 Potentially Dangerous Error with Special Characters in Account Password #244

Closed NathanielMaier closed 4 years ago

NathanielMaier commented 4 years ago

Describe the issue I'm trying to use Invoke-PASCPMOperation to change the password (in the Vault only) for an existing account. Unfortunately, I'm getting an HTTP 400 error saying "A potentially dangerous value was detected from the client." I suspect this is related to one or more special characters in the password, but I'm hopeful there's some workaround for this.

The password in question does contain both a comma and less than character ("," and "<"). I suspect that "dangerous value" is related to the "<" character.

To Reproduce Steps to reproduce the behavior:

  1. Establish New-PASSession
  2. $existingAccount = Get-PASAccount -Safe "SafeName" -Keywords "search string returning 1 account"
  3. $securestring = (Get-PASAccountPassword -AccountID $existingAccount.AccountID -Reason $reason).ToSecureString()
  4. Invoke-PASCPMOperation -AccountID $account.id -ChangeTask -NewCredentials $securestring -Verbose -Debug

Expected behavior I expect the password to be set correctly/updated in the Vault. Any hints on how to get this working would be terrific!

Screenshots & Console Output Console Output Code Block:

> Invoke-PASCPMOperation -AccountID $account.id -ChangeTask -NewCredentials $securestring -Verbose -Debug
DEBUG: [Body] {
    "NewCredentials":  "******",
}
VERBOSE: POST https://PVWA_Address/PasswordVault/API/Accounts/278_210/Password/Update with -1-byte payload
Invoke-PASRestMethod : [400] A potentially dangerous value was detected from the client.
At line:285 char:4
+             Invoke-PASRestMethod @ThisRequest
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"ErrorCode":"P...m the client."}:ErrorRecord) [Invoke-PASRestMethod], Exception
    + FullyQualifiedErrorId : PASWS084E,Invoke-PASRestMethod

Your Environment

Additional context I wonder if this is at all related to issue #243 - I know it's a different error, but could a similar approach be used to "escape" the potentially-dangerous special characters?

Also for awareness, I tried using the Password Upload Utility for this instead of psPAS, but ran into a separate/unrelated issue: the password in question has a comma (",") included and PUU/PACLI does not seem to handle that well, with or without double quotes in the CSV file.

pspete commented 4 years ago

It sounds like cross-site scripting protection or similar. If you wanted to investigate the validity of escaping values, you can create your own requests fairly simply using the module to help:

#after New-PASSession
$s = Get-PASSession

$id = "278_210"
$pw = "PasswordStringValue"

$Request = @{
    "Body" = @{ "NewCredentials" = $pw } | ConvertTo-Json
    "Method"="POST"
    "Uri" = "$($s.BaseUri)/API/Accounts/$id/Password/Update"
    "WebSession" = $s.WebSession
    "ContentType" = "application/json"

}
Invoke-RestMethod @Request
NathanielMaier commented 4 years ago

Thanks, @pspete. I agree this looks like the XSS-protection or something, but I'm surprised to see that related to password content. I of course can use the "," and "<" characters in a password via the PVWA interactively, so I wonder if this is a bug that the REST API is complaining.

I'll try some troubleshooting with your Invoke-RestMethod suggestion and let you know if I'm able to make any progress using a password with the "," and "<" characters. Thanks!

pspete commented 4 years ago

Provisions/attempts to circumvent security protections or similar which exist in the API will not be made part of the module; now closing this - hopefully acceptable with you.