{"id":2558,"date":"2017-05-10T16:22:06","date_gmt":"2017-05-10T19:22:06","guid":{"rendered":"http:\/\/www.dbarj.com.br\/?p=2558\/"},"modified":"2017-05-10T17:02:04","modified_gmt":"2017-05-10T20:02:04","slug":"removing-exposed-http-digest-hash-user-oracle-12-1","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/","title":{"rendered":"Removing exposed HTTP Digest hash from user$ in Oracle 12.1"},"content":{"rendered":"<h2>Background<\/h2>\n<p>Oracle 12.1 has introduced a lot of new cool security features and improvements. We all agree with that.<\/p>\n<p>However, one of the most bizarre and security vulnerability things that Oracle did in this\u00a0release was introducing <strong>HTTP Digest Authentication<\/strong> to allow XDB users to log in. The new <strong>EM Express Edition<\/strong> is one of the built-in\u00a0applications based on XDB.<\/p>\n<p>Before going deeper, let me just to give an overview of the passwords hashes that an user can have:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">SQL&gt; alter user c##DBARJ identified by oracle;\r\n\r\nUser altered.\r\n\r\nSQL&gt; select password, spare4 from user$ where name='C##DBARJ';\r\n\r\nPASSWORD\r\n----------------\r\nSPARE4\r\n--------------------------------------------------------------------------------\r\n099284AE54251642\r\nS:36A79DEC4FA97F7F2A3AA58CE151F71BB32D78D9DE5839BB9208FAAAFFD8;H:6747F421C1E3C9B\r\nABE3E7CE6EB6FD08A;T:F561744F19996B34313890FEE14459D903CB1B61552AAA25C45F765DB67A\r\n5B49116955377262F9AB6B3E52FF60BEECFFCB8010A37ABBD19A243B3300A2543610495AC1F86703\r\nAC121AD6FCAA5DD80FB6\r\n\r\nSQL&gt;\r\n<\/pre>\n<p>What is each column and each attribute?<\/p>\n<ul>\n<li>USER$.PASSWORD &#8211; <strong>DES<\/strong> password hash used from Oracle 6 until 10g.<\/li>\n<li>USER$.SPARE4 (attribute S:) &#8211; <strong>SHA1<\/strong> password hash introduced on Oracle 11g.<\/li>\n<li>USER$.SPARE4 (attribute T:) &#8211;\u00a0<strong>PBKDF2<\/strong> password hash introduced\u00a0 on Oracle 12.1.0.2.<\/li>\n<li>USER$.SPARE4 (attribute H:) &#8211; <strong>HTTP Digest<\/strong> password hash introduced on Oracle 12.1.0.1.<\/li>\n<\/ul>\n<p>The biggest problem is that HTTP Digest is a\u00a0very old <a href=\"https:\/\/www.ietf.org\/rfc\/rfc2617.txt\" target=\"_blank\" rel=\"noopener noreferrer\">RFC<\/a> (1999) based on <span style=\"color: #800000;\"><strong>Unsalted MD5<\/strong><\/span> and very fast to crack if we use multi-nodes GPU clusters to break it.<\/p>\n<p>And if we compare the benchmarks of how many hashes we can generate per second using a very strong cracking tool like <a href=\"https:\/\/sagitta.pw\/hardware\/gpu-compute-nodes\/brutalis\/\" target=\"_blank\" rel=\"noopener noreferrer\">Brutalis<\/a>, we have:<\/p>\n<p>&nbsp;<\/p>\n<table style=\"width: 352.567px;\">\n<tbody>\n<tr style=\"height: 18px;\">\n<td style=\"width: 172px; height: 18px;\"><strong>Hash Type<\/strong><\/td>\n<td style=\"width: 156.567px; height: 18px;\"><strong>Speed (H\/s)<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 172px; height: 18px;\">HTTP Digest &#8211; MD5<\/td>\n<td style=\"width: 156.567px; height: 18px;\">200.300.000.000<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 172px; height: 18px;\">DES: (Oracle: 7+)<\/td>\n<td style=\"width: 156.567px; height: 18px;\">7.208.400.000<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"width: 172px; height: 18px;\">SHA1: Type: (Oracle: 11+)<\/td>\n<td style=\"width: 156.567px; height: 18px;\">68.697.900.000<\/td>\n<\/tr>\n<tr style=\"height: 7.76666px;\">\n<td style=\"width: 172px; height: 7.76666px;\">PBKDF2: (Oracle: 12+)<\/td>\n<td style=\"width: 156.567px; height: 7.76666px;\">818.000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>So when you create or alter an user password in 12.1, for every very strong <strong>PBKDF2<\/strong>\u00a0hash you will also have a <strong>MD5<\/strong>\u00a0hash that can be broken <span style=\"text-decoration: underline; font-size: 12pt;\">245.000<\/span> times faster.. of course that if your users hashes somehow get exposed, hackers will try to break the HTTP Digest password instead of any other.<\/p>\n<h2>How to hide weaker hashes<\/h2>\n<p>Hiding the DES and SHA1 hashes can be achieved through <a href=\"https:\/\/docs.oracle.com\/database\/121\/NETRF\/sqlnet.htm\" target=\"_blank\" rel=\"noopener noreferrer\">SQLNET.ALLOWED_LOGON_VERSION_SERVER<\/a> parameter:<\/p>\n<ul>\n<li><b>Default = 8 -&gt; ALL HASHES <\/b><b>are stored.<\/b><\/li>\n<li><b>= 9, 10 or 11 -&gt; ALL HASHES are still stored.<br \/>\n<\/b><\/li>\n<li><b>= 12\u00a0 -&gt; Remove HASHES in<\/b><b> DES (<\/b><b>user$.password<\/b><b>)<\/b><\/li>\n<li><b>= 12a -&gt; Remove HASHES in<\/b><b> SHA1 (user$.spare4<\/b>)<\/li>\n<\/ul>\n<p>The change will only be noticed next time the user has his password updated.<\/p>\n<p>However, there is no explicit documented way to remove the HTTP Digest (in Oracle 12.1).<br \/>\nSo, after researching a lot, I&#8217;ve decided to create my own solution: <span style=\"text-decoration: underline;\">forcefully remove them<\/span>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">update user$\r\nset spare4 = regexp_replace(spare4,'H:([[:digit:]]|[A-F])*(;)?','')\r\nwhere instr(spare4, 'H:')&gt;0;<\/pre>\n<p><span style=\"color: #ff0000;\"><strong>** Please note the this is not an approved nor recommended solution by Oracle.<\/strong><\/span><\/p>\n<p>The update statement above will simply remove all <strong>HTTP Digest<\/strong> hashes from spare4 column. We can also automatize this removal for every new\/altered\u00a0user creating the trigger below:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">CREATE OR REPLACE TRIGGER Sys_User_Remove_Digest\r\nAFTER CREATE OR ALTER ON DATABASE\r\nWHEN (ora_dict_obj_type = 'USER')\r\nBEGIN\r\n\u00a0 update user$\r\n\u00a0 set spare4 = regexp_replace(spare4,'H:([[:digit:]]|[A-F])*(;)?','')\r\n\u00a0 where instr(spare4, 'H:')&gt;0 and name=ora_dict_obj_name;\r\nEND;\r\n\/\r\n<\/pre>\n<p><span style=\"color: #ff0000;\"><strong>** AGAIN, please note the this is not an approved nor recommended solution by Oracle.<\/strong><\/span><\/p>\n<p>After all are removed, now you are secured without MD5 unsalted hashes of your users passwords. However, of course that any attempt to authenticate a user via HTTP Digest of XDB will fail as the user hash does not exist anymore.<\/p>\n<p><strong>P.S: I&#8217;ve tested this in multiple databases and so far I didn&#8217;t have any problem (note I&#8217;m not using XDB or EM Express).<\/strong><\/p>\n<p>You can check for any remaining Digest by either checking for &#8220;H:&#8221; attribute in spare4 column or by\u00a0running:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">select * from dba_digest_verifiers;<\/pre>\n<p>To undo all those changes, you can simply remove the trigger and expire the passwords of affected users.<\/p>\n<h2>What about 12.2 ?<\/h2>\n<p>In Oracle 12.2, they modified this exposure and now HTTP Digest are <strong>not<\/strong> enabled by default.<\/p>\n<blockquote><p>In 12.2 release, all DB users will have their HTTP Digest<br \/>\nverifiers disabled by default at the time of creation.<br \/>\nA separate [HTTP] DIGEST [ENABLE|DISABLE] clause has been added to<br \/>\n[CREATE|ALTER] USER DDLs to support generation of these verifiers on a<br \/>\nper-user basis.<\/p><\/blockquote>\n<p>For users with enabled HTTP Digest, we should see\u00a0&#8220;HTTP&#8221; in PASSWORD_VERSIONS column of DBA_USERS.<\/p>\n<p>More details about the syntax is available at\u00a0the\u00a0<a href=\"https:\/\/docs.oracle.com\/database\/122\/SQLRF\/CREATE-USER.htm\" target=\"_blank\" rel=\"noopener noreferrer\">Oracle Official Doc<\/a>.<\/p>\n<div class='watch-action'><div class='watch-position align-left'><div class='action-like'><a class='lbg-style2 like-2558 jlk' href='javascript:void(0)' data-task='like' data-post_id='2558' data-nonce='de4404f630' rel='nofollow'><img class='wti-pixel' src='https:\/\/www.dbarj.com.br\/wp-content\/plugins\/wti-like-post\/images\/pixel.gif' title='Like' \/><span class='lc-2558 lc'>+3<\/span><\/a><\/div><\/div> <div class='status-2558 status align-left'><\/div><\/div><div class='wti-clear'><\/div>","protected":false},"excerpt":{"rendered":"<p>Background Oracle 12.1 has introduced a lot of new cool security features and improvements. We all agree with that. However, one of the most bizarre and security vulnerability things that Oracle did in this\u00a0release was introducing HTTP Digest Authentication to allow XDB users to log in. The new EM Express Edition is one of the &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/\">Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-2558","post","type-post","status-publish","format-standard","hentry","category-security-en","item-wrap"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Removing exposed HTTP Digest hash from user$ in Oracle 12.1 - DBA - Rodrigo Jorge - Oracle Tips and Guides<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DBA RJ\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/\"},\"author\":{\"name\":\"DBA RJ\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"headline\":\"Removing exposed HTTP Digest hash from user$ in Oracle 12.1\",\"datePublished\":\"2017-05-10T19:22:06+00:00\",\"dateModified\":\"2017-05-10T20:02:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/\"},\"wordCount\":613,\"commentCount\":4,\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"articleSection\":[\"Database Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/\",\"name\":\"Removing exposed HTTP Digest hash from user$ in Oracle 12.1 - DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\"},\"datePublished\":\"2017-05-10T19:22:06+00:00\",\"dateModified\":\"2017-05-10T20:02:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2017\\\/05\\\/removing-exposed-http-digest-hash-user-oracle-12-1\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Removing exposed HTTP Digest hash from user$ in Oracle 12.1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\",\"name\":\"DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"description\":\"Blog about Databases, Security and High Availability\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\",\"name\":\"DBA RJ\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"contentUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"width\":712,\"height\":712,\"caption\":\"DBA RJ\"},\"logo\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Removing exposed HTTP Digest hash from user$ in Oracle 12.1 - DBA - Rodrigo Jorge - Oracle Tips and Guides","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/","twitter_misc":{"Written by":"DBA RJ","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/#article","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/"},"author":{"name":"DBA RJ","@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"headline":"Removing exposed HTTP Digest hash from user$ in Oracle 12.1","datePublished":"2017-05-10T19:22:06+00:00","dateModified":"2017-05-10T20:02:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/"},"wordCount":613,"commentCount":4,"publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"articleSection":["Database Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/","url":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/","name":"Removing exposed HTTP Digest hash from user$ in Oracle 12.1 - DBA - Rodrigo Jorge - Oracle Tips and Guides","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/#website"},"datePublished":"2017-05-10T19:22:06+00:00","dateModified":"2017-05-10T20:02:04+00:00","breadcrumb":{"@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbarj.com.br\/en\/2017\/05\/removing-exposed-http-digest-hash-user-oracle-12-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.dbarj.com.br\/en\/"},{"@type":"ListItem","position":2,"name":"Removing exposed HTTP Digest hash from user$ in Oracle 12.1"}]},{"@type":"WebSite","@id":"https:\/\/www.dbarj.com.br\/en\/#website","url":"https:\/\/www.dbarj.com.br\/en\/","name":"DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"Blog about Databases, Security and High Availability","publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbarj.com.br\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9","name":"DBA RJ","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","url":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","contentUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","width":712,"height":712,"caption":"DBA RJ"},"logo":{"@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png"}}]}},"_links":{"self":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/2558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/comments?post=2558"}],"version-history":[{"count":0,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/2558\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/media?parent=2558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/categories?post=2558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/tags?post=2558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}