Page 1 of 1

xss protection through base64

Posted: Fri Jul 16, 2010 10:02 am
by shawngoldw
I heard that dan kaminsky, a security researcher (http://en.wikipedia.org/wiki/Dan_Kaminsky), was talking about converting all user input to base64 in order to prevent xss attacks. I tried finding any info on this through google but could not find anything about the methods used to do this.

Anybody have any ideas on how this could be done?

The way I see it, it can prevent sql injections because base64 only uses clean characters. But I don't see how it can prevent xss since if you ever need to print the stored user input, you first need to convert it out of base64 and then print it with the malicious script intact.

Re: xss protection through base64

Posted: Sat Jul 17, 2010 1:24 pm
by Darhazer
everyone can encode in base64 and decode from base64, so I don't see how this could improve security. Even if the entire request is base64 encoded, I would decode it, see where a vulnerability could exists, modify the request, encode it again and send to server. So... it's like thinking that using hex instead dec for the ID in the URL, the security will be improved.

Re: xss protection through base64

Posted: Sat Jul 17, 2010 2:46 pm
by Weirdan
This would work, but requires support on browser and database side.

Re: xss protection through base64

Posted: Sat Jul 17, 2010 3:08 pm
by shawngoldw
@darhazer: This is not meant to hide vulnerabilities. It is somehow meant to protect from xss by acting as some sort of filter I think, replacing characters which could be malicious like <. I don't see how it helps though because you need to convert them back from base64 and display them to the user which I think defeats the purpose. Non the less it is a strategy someone who knows much more than I on the subject mentioned.

@weirdan: Could you please explain what you mean?

Re: xss protection through base64

Posted: Sat Jul 17, 2010 3:14 pm
by Weirdan
Darhazer wrote:everyone can encode in base64 and decode from base64, so I don't see how this could improve security.
The idea is quite simple. Both sql and script injections are, basically, attacks on parser, attempting to trick it into believing that textual content contains structural elements of the respective language. If you could augment, for example, browser to automatcially base64_decode contents of some elements after parsing, you would be able to do something like this:

Code: Select all

<?php 
function _t($text) {
  return '<b64>' . base64_encode($text) . '</b64>';
}
function _a($name, $text) {
  return ' b64:' . $name . '="' . base64_encode($text) .'" ';
}
?>
<div <?=_a('class', $_GET['somethingElse'])?>><?=_t($_GET['something'])?></div>
(where <b64> tags are automatically replaced with the result of decoding their content after parsing and b64: prefixed attributes automatically replaced with their non-prefixed versions with values being result of decoding values of original attributes) and be sure that no xss is possible there. This, plus support for tainted variables that would prevent you from outputting any variable without using untainting function like above, would provide you with bulletproof xss protection. That said, this is no better than routinely using htmlspecialchars() when outputting data, with tainting or not.

For sql it's a bit easier (assuming you have a UDF to decode base64 data):

Code: Select all

mysql_query('select data from table where col=base64decode("' . base64_encode($_GET['something']) . '")');
But, again, it's no better than using mysql_real_escape_string():

Code: Select all

mysql_query('select data from table where col="' . mysql_real_escape_string($_GET['something'], $conn) . '"');
, or prepared statements

Re: xss protection through base64

Posted: Sat Jul 17, 2010 4:14 pm
by shawngoldw
So you're saying that if the browser could automatically decode base64 we could just print the base64 and avoid xss vulnerabilities?

But since browsers don't automatically decode base64 this isn't going to work?

Re: xss protection through base64

Posted: Sat Jul 17, 2010 9:33 pm
by Weirdan
shawngoldw wrote:But since browsers don't automatically decode base64 this isn't going to work?
Exactly. And even if they did, the programmer would still need to designate parts of the output as coming from user - something that he already doing (or should be doing, anyway).

Re: xss protection through base64

Posted: Sat Jul 17, 2010 9:56 pm
by shawngoldw
interesting, thanks

Re: xss protection through base64

Posted: Sun Jul 18, 2010 1:28 pm
by kaisellgren
I like the Content Security Policy from Mozilla better than the approach described by Dan. What Dan wanted was to tell the browser that this is "content", do not parse this. Prepared statements actually do this already, treating content as content, and the rest as SQL.

Re: xss protection through base64

Posted: Tue Jul 20, 2010 3:16 am
by Mordred
It's a stupid idea.

Both browsers and databases already have this functionality natively, only it's not base64 (which needlessly increases the size of the transported data), but their specific escaping mechanisms. Calling the right escaping function is not harder than calling base64.

Moreover, attempting to use such a catch-all solution for many targets is almost always bound to fail. Specific solutions tailored for the specific problems are always better. Point in case - base64 needs two more characters than a-zA-Z0-9, plus an optional padding character. Come on now, pick three that won't be used as special characters somewhere ...

Additionally, prepared statements are not always suitable. Programmers do want to generate SQL on the fly, that's the point for having a mediator language in the first place. In such cases there's no catch-all method for distinguishing "content" from "syntax".

Re: xss protection through base64

Posted: Wed Jul 21, 2010 11:48 am
by kaisellgren
Mordred wrote:Programmers do want to generate SQL on the fly,
Worse yet, they have to generate SQL on the fly in very common scenarios like specifying LIMIT based on user input.