xss protection through base64

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

xss protection through base64

Post by shawngoldw »

I heard that dan kaminsky, a security researcher (http://en.wikipedia.org/wiki/Dan_Kaminsky), was talking about converting all user input to base64 in order to prevent xss attacks. I tried finding any info on this through google but could not find anything about the methods used to do this.

Anybody have any ideas on how this could be done?

The way I see it, it can prevent sql injections because base64 only uses clean characters. But I don't see how it can prevent xss since if you ever need to print the stored user input, you first need to convert it out of base64 and then print it with the malicious script intact.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: xss protection through base64

Post by Darhazer »

everyone can encode in base64 and decode from base64, so I don't see how this could improve security. Even if the entire request is base64 encoded, I would decode it, see where a vulnerability could exists, modify the request, encode it again and send to server. So... it's like thinking that using hex instead dec for the ID in the URL, the security will be improved.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: xss protection through base64

Post by Weirdan »

This would work, but requires support on browser and database side.
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: xss protection through base64

Post by shawngoldw »

@darhazer: This is not meant to hide vulnerabilities. It is somehow meant to protect from xss by acting as some sort of filter I think, replacing characters which could be malicious like <. I don't see how it helps though because you need to convert them back from base64 and display them to the user which I think defeats the purpose. Non the less it is a strategy someone who knows much more than I on the subject mentioned.

@weirdan: Could you please explain what you mean?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: xss protection through base64

Post by Weirdan »

Darhazer wrote:everyone can encode in base64 and decode from base64, so I don't see how this could improve security.
The idea is quite simple. Both sql and script injections are, basically, attacks on parser, attempting to trick it into believing that textual content contains structural elements of the respective language. If you could augment, for example, browser to automatcially base64_decode contents of some elements after parsing, you would be able to do something like this:

Code: Select all

<?php 
function _t($text) {
  return '<b64>' . base64_encode($text) . '</b64>';
}
function _a($name, $text) {
  return ' b64:' . $name . '="' . base64_encode($text) .'" ';
}
?>
<div <?=_a('class', $_GET['somethingElse'])?>><?=_t($_GET['something'])?></div>
(where <b64> tags are automatically replaced with the result of decoding their content after parsing and b64: prefixed attributes automatically replaced with their non-prefixed versions with values being result of decoding values of original attributes) and be sure that no xss is possible there. This, plus support for tainted variables that would prevent you from outputting any variable without using untainting function like above, would provide you with bulletproof xss protection. That said, this is no better than routinely using htmlspecialchars() when outputting data, with tainting or not.

For sql it's a bit easier (assuming you have a UDF to decode base64 data):

Code: Select all

mysql_query('select data from table where col=base64decode("' . base64_encode($_GET['something']) . '")');
But, again, it's no better than using mysql_real_escape_string():

Code: Select all

mysql_query('select data from table where col="' . mysql_real_escape_string($_GET['something'], $conn) . '"');
, or prepared statements
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: xss protection through base64

Post by shawngoldw »

So you're saying that if the browser could automatically decode base64 we could just print the base64 and avoid xss vulnerabilities?

But since browsers don't automatically decode base64 this isn't going to work?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: xss protection through base64

Post by Weirdan »

shawngoldw wrote:But since browsers don't automatically decode base64 this isn't going to work?
Exactly. And even if they did, the programmer would still need to designate parts of the output as coming from user - something that he already doing (or should be doing, anyway).
shawngoldw
Forum Contributor
Posts: 212
Joined: Mon Apr 05, 2010 3:38 pm

Re: xss protection through base64

Post by shawngoldw »

interesting, thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: xss protection through base64

Post by kaisellgren »

I like the Content Security Policy from Mozilla better than the approach described by Dan. What Dan wanted was to tell the browser that this is "content", do not parse this. Prepared statements actually do this already, treating content as content, and the rest as SQL.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: xss protection through base64

Post by Mordred »

It's a stupid idea.

Both browsers and databases already have this functionality natively, only it's not base64 (which needlessly increases the size of the transported data), but their specific escaping mechanisms. Calling the right escaping function is not harder than calling base64.

Moreover, attempting to use such a catch-all solution for many targets is almost always bound to fail. Specific solutions tailored for the specific problems are always better. Point in case - base64 needs two more characters than a-zA-Z0-9, plus an optional padding character. Come on now, pick three that won't be used as special characters somewhere ...

Additionally, prepared statements are not always suitable. Programmers do want to generate SQL on the fly, that's the point for having a mediator language in the first place. In such cases there's no catch-all method for distinguishing "content" from "syntax".
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: xss protection through base64

Post by kaisellgren »

Mordred wrote:Programmers do want to generate SQL on the fly,
Worse yet, they have to generate SQL on the fly in very common scenarios like specifying LIMIT based on user input.
Post Reply