Suspicious Content DetectionĪs described above, increasing Base64 encoding = longer fixed prefix = stronger attack detection fingerprint. Specifically, in the case of Base64, thanks to the special characteristics of the encoding scheme, there are other ways to mitigate multiple encodings. So, decoding the input multiple times is neither sufficient nor efficient when the attacks are encoded multiple times. Additionally, even if the defender decodes the input many times, say ten, the attacker can just encode the attacks once more and evade detection. Thus, decoding the input several times opens the door for attackers to launch DoS attacks by sending several long encoded texts. While attackers need to create the long encoded attack only once, the defender must decode it on every incoming request in order to identify and mitigate the attack in full. This method might seem to work, but it opens a door for another vulnerability – Denial of Service ( DoS).ĭecoding a very long text multiple times may take a lot of time. There are three primary strategies to consider for mitigation of attacks encoded in Base64: Multiple decodingĪttacks encoded multiple times in Base64 may be mitigated by decoding the input several times until the real payload is revealed. Multiple Base64 encoding = Longer fixed prefix = Stronger attack detection fingerprint Possible Mitigation ![]() Alternatively, they can encode the input multiple times, generating a very large payload making it unfeasible to decode, but also possessing a stronger, fixed, Base64 prefix fingerprint for the defender to detect. Attacker Lose-Lose SituationĪttackers trying to obfuscate their attacks using multiple Base64 encodings face a problem.Įither they encode their attack payload a small number of times, making it feasible for the defender to decode and identify. More precisely, the output grows exponentially, multiplying itself by 1.3333 with each encoding (see Figure 1).įigure 3: Encoding of the letter “a” multiple times in Base64. Thanks to some interesting characteristics of Base64, however, encoding the attack payload multiple times in Base64 actually makes things worse for the attacker and easier for the defender.Įvery three 8-bits characters encoded in Base64 are transformed into four 6-bits characters, which is why multiple encoding with Base64 increases output. With that in mind, it’s a common practice among attackers to obfuscate their attacks using multiple encodings of the same text-to the extent of encoding an attack a few dozen times to evade detection. While Base64 encoding is very useful to transfer binary data over the web, there is no practical need to do multiple encoding of the same text. Unfortunately, this encoding technique is often abused and used to carry obfuscated malicious payloads disguised as legitimate Base64-encoded content. Since Base64 is commonly used to encode and transfer data over the web, security controls often decode the traffic as a preprocessing step just before analyzing it. If there are less than three characters as an input, the encoding pads the Base64 encoding output using the “=” sign. It then splits these 24 bits into four parts of six bits each and translates each of the six bits into a character using the Base64 encoding table. In short, Base64 takes three 8–bits ASCII characters as an input, making it 24-bits in total. Today, Base64 encoding is widely used to transfer any type of binary data across the web as a means to ensure data integrity at the recipient. Originally, Base64 encoding was used to safely transfer email messages, including binary attachments, over the web. The name Base64 comes from the fact that each output character is represented in 6-bits, hence there are characters that can be represented… lower and upper case letters, numbers and the “+” and “/” signs. ![]() What is Base64?īase64 is an encoding mechanism used to represent and stream binary data over mediums limited to printable characters only. In this blog post, we’ll dive deep into one of the simplest obfuscation techniques commonly used by web application attackers – Base64 – and uncover some of the traits making it so unique and interesting from the defender perspective. Alternatively, and as described in a recent spam campaign research we conducted, obfuscation of web application attacks can be as simple as importing common encoding schemes and re-encoding the attack payloads multiple times. Obfuscation of web application attacks can be extremely complicated, involving custom-made encoding schemes made by the attacker to suit a specific need. To cover their tracks and increase their attack success rate, hackers often obfuscate attacks using different techniques. These threats mostly stem from web application vulnerabilities, published daily by the vendors themselves or by third-party researchers, followed by vigilant attackers exploiting them. ![]() Web application threats come in different shapes and sizes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |