xss protection through base64
Moderator: General Moderators
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
xss protection through base64
I heard that dan kaminsky, a security researcher (http://en.wikipedia.org/wiki/Dan_Kaminsky), was talking about converting all user input to base64 in order to prevent xss attacks. I tried finding any info on this through google but could not find anything about the methods used to do this.
Anybody have any ideas on how this could be done?
The way I see it, it can prevent sql injections because base64 only uses clean characters. But I don't see how it can prevent xss since if you ever need to print the stored user input, you first need to convert it out of base64 and then print it with the malicious script intact.
Anybody have any ideas on how this could be done?
The way I see it, it can prevent sql injections because base64 only uses clean characters. But I don't see how it can prevent xss since if you ever need to print the stored user input, you first need to convert it out of base64 and then print it with the malicious script intact.
Re: xss protection through base64
everyone can encode in base64 and decode from base64, so I don't see how this could improve security. Even if the entire request is base64 encoded, I would decode it, see where a vulnerability could exists, modify the request, encode it again and send to server. So... it's like thinking that using hex instead dec for the ID in the URL, the security will be improved.
Re: xss protection through base64
This would work, but requires support on browser and database side.
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: xss protection through base64
@darhazer: This is not meant to hide vulnerabilities. It is somehow meant to protect from xss by acting as some sort of filter I think, replacing characters which could be malicious like <. I don't see how it helps though because you need to convert them back from base64 and display them to the user which I think defeats the purpose. Non the less it is a strategy someone who knows much more than I on the subject mentioned.
@weirdan: Could you please explain what you mean?
@weirdan: Could you please explain what you mean?
Re: xss protection through base64
The idea is quite simple. Both sql and script injections are, basically, attacks on parser, attempting to trick it into believing that textual content contains structural elements of the respective language. If you could augment, for example, browser to automatcially base64_decode contents of some elements after parsing, you would be able to do something like this:Darhazer wrote:everyone can encode in base64 and decode from base64, so I don't see how this could improve security.
Code: Select all
<?php
function _t($text) {
return '<b64>' . base64_encode($text) . '</b64>';
}
function _a($name, $text) {
return ' b64:' . $name . '="' . base64_encode($text) .'" ';
}
?>
<div <?=_a('class', $_GET['somethingElse'])?>><?=_t($_GET['something'])?></div>
For sql it's a bit easier (assuming you have a UDF to decode base64 data):
Code: Select all
mysql_query('select data from table where col=base64decode("' . base64_encode($_GET['something']) . '")');
Code: Select all
mysql_query('select data from table where col="' . mysql_real_escape_string($_GET['something'], $conn) . '"');
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: xss protection through base64
So you're saying that if the browser could automatically decode base64 we could just print the base64 and avoid xss vulnerabilities?
But since browsers don't automatically decode base64 this isn't going to work?
But since browsers don't automatically decode base64 this isn't going to work?
Re: xss protection through base64
Exactly. And even if they did, the programmer would still need to designate parts of the output as coming from user - something that he already doing (or should be doing, anyway).shawngoldw wrote:But since browsers don't automatically decode base64 this isn't going to work?
-
shawngoldw
- Forum Contributor
- Posts: 212
- Joined: Mon Apr 05, 2010 3:38 pm
Re: xss protection through base64
interesting, thanks
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: xss protection through base64
I like the Content Security Policy from Mozilla better than the approach described by Dan. What Dan wanted was to tell the browser that this is "content", do not parse this. Prepared statements actually do this already, treating content as content, and the rest as SQL.
Re: xss protection through base64
It's a stupid idea.
Both browsers and databases already have this functionality natively, only it's not base64 (which needlessly increases the size of the transported data), but their specific escaping mechanisms. Calling the right escaping function is not harder than calling base64.
Moreover, attempting to use such a catch-all solution for many targets is almost always bound to fail. Specific solutions tailored for the specific problems are always better. Point in case - base64 needs two more characters than a-zA-Z0-9, plus an optional padding character. Come on now, pick three that won't be used as special characters somewhere ...
Additionally, prepared statements are not always suitable. Programmers do want to generate SQL on the fly, that's the point for having a mediator language in the first place. In such cases there's no catch-all method for distinguishing "content" from "syntax".
Both browsers and databases already have this functionality natively, only it's not base64 (which needlessly increases the size of the transported data), but their specific escaping mechanisms. Calling the right escaping function is not harder than calling base64.
Moreover, attempting to use such a catch-all solution for many targets is almost always bound to fail. Specific solutions tailored for the specific problems are always better. Point in case - base64 needs two more characters than a-zA-Z0-9, plus an optional padding character. Come on now, pick three that won't be used as special characters somewhere ...
Additionally, prepared statements are not always suitable. Programmers do want to generate SQL on the fly, that's the point for having a mediator language in the first place. In such cases there's no catch-all method for distinguishing "content" from "syntax".
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: xss protection through base64
Worse yet, they have to generate SQL on the fly in very common scenarios like specifying LIMIT based on user input.Mordred wrote:Programmers do want to generate SQL on the fly,