It’s been long since application security established itself as an absolute necessity. From lean startups to upscaled unicorns, product companies have recognised the need to protect important business assets with mature security practices. However, cross skill development between different product teams like Security, Development or QA is found lacking even today. Consider a developer for example, the security of the application begins with him. A developer with a sound understanding of security will be able to create a more secure application than one without. When an application is secure by design, it is easier and quicker to take it to market.In a DevOps environment therefore, it pays to be a security conscious developer. To follow security best practices while writing code. One such proactive security measure taken by developers is to use Base64 to prevent XSS(Cross Site Scripting) attacks.
In this blog I wish to discuss why preventing XSS with only base64 is a bad idea. But before we get into that let me give you a short description of what XSS(Cross Site Script) and Base64 are.
According to OWASP,
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
XSS attacks can generally be categorized into two categories: stored and reflected
In a reflected XSS attack, the attack is in the request itself (frequently the URL) and the vulnerability occurs when the server inserts the attack in the response verbatim or incorrectly escaped or sanitized. The victim triggers the attack by browsing to a malicious URL created by the attacker.
In a stored XSS attack, the attacker stores the attack in the application (e.g., in a snippet) and the victim triggers the attack by browsing to a page on the server that renders the attack, by not properly escaping or sanitizing the stored data.
What does Base64 mean:
Base64 is an encoding and decoding technique used to convert binary data to an American Standard for Information Interchange (ASCII) text format, and vice versa. It is used to transfer data over a medium that only supports ASCII formats, such as email messages on Multipurpose Internet Mail Extension (MIME) and Extensible Markup Language (XML) data.
Ok, let’s get to it then?: Below are my learnings from a past project
During penetration testing of a client's web application, I noticed that some of the URL parameter values were encoded with base64. So I have decoded one of the parameter’s values(MotsClefs=QW1hem9u) and found a meaningful string(amazon).
The value of parameter ‘motoclef’ is base64 encoded
Payload : <script>alert(document.cookie+'a')</script>
b64 value: PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUrJ2EnKTwvc2NyaXB0Pg==
But the same 'transparent base64 security' transformed into a severe vulnerability in other pages on the web application, namely the 'contact us' page in which the user can send queries and the 'Query status' page, where the user can check the current status of the query he/she has sent.
The value of parameter ‘Object’ is base64 encoded
Payload : <script>alert('stored_xss1');</script>
The request was sent successfully and executed in the 'Query Status' page. Unsurprisingly it was a Stored XSS and I don't have to say how bad a Stored XSS is.
The Payload Executed on ‘Query Status’ page was a stored XSS
Sanitizing user input is especially helpful on sites that allow HTML markup, to ensure data received can do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup, changing unacceptable user input to an acceptable format.
Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users.
Escaping data means taking the data an application has received and ensuring it’s secure before rendering it for the end user. By escaping user input, key characters in the data received by a web page will be prevented from being interpreted in any malicious way.
Also, Refer to the owasp XSS prevention cheat sheet for more here:
Developers may try to make websites more secure by having a cryptic URL and parameters but, it doesn't protect web applications from attacks like XSS unless the user input is properly sanitized, validated and escaped. Hope you found it a helpful read.