Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
What does this encoded data look like to you?
Date: August 27, 2009 06:43PM

none



Edited 1 time(s). Last edit at 09/02/2009 06:03PM by DontHassleHoff.

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: thornmaker
Date: August 27, 2009 09:06PM

+ and / are both part of base64 encoding (a-z, A-Z, and 0-9 only give you 62 chars so 2 more are needed to get to 64). so it appears to be a single base64 encoded string. just because you get non-readable text when it's base64 decoded doesn't mean that's not the correct decoding. base64 is often used to encode binary data so that it can be passed around in a 'human readable' form.

fwiw, base64 and url encodings are not ciphers, just encoding routines.

Options: ReplyQuote
Re: What does this encoded data look like to you?
Date: August 27, 2009 09:39PM

none



Edited 3 time(s). Last edit at 09/02/2009 06:04PM by DontHassleHoff.

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: clayfox
Date: August 27, 2009 11:48PM

A few random statments:
- You say that it is put in the query string. The query string is everything in the URL after the question mark. Is this in the query string, or the POST body of the HTTP request?
- If it is part of the request, then the obfuscation is happening on the client side. Do you have access to the page that the request is being sent from? If so, look for client side scripts.
- My gut reaction to such a long URL-encoded, base64 string as part of a request is that it is odd. All requests that send data contain name-value pairs. I don't see any name-value pairs here. This makes me think that we either aren't getting the full picture, or that you have some confusion about what is going on.

Hope this is helpful.

ps - I have seen plenty of base64 obfuscation employed. It can be a useful format to send binary data. If you see delimited, short, fixed-length, base64 strings, they are often pointless to decode. If you see variable length, long strings of base64 encoded data, then they are often very juicy bits of info. So for my two cents, you're on the right path.

-clayfox

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: Gareth Heyes
Date: August 28, 2009 04:17AM

@DontHassleHoff

It defo looks like base64 to me, maybe a session or view state. You could try looking for patterns by converting the result into charcodes and performing operations on the previous number with the current.

For example these hackvertor tags take the encoded string, remove the new lines base64 decode, convert them to charcodes and then takes each number and minuses from the previous:-
http://tinyurl.com/km9cnl

<@arithmetic_5(0,-,',')> // using 0 says take the value from the previous number

You could also get the frequencies of repeated data:-
http://tinyurl.com/m7cb3k

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: What does this encoded data look like to you?
Date: August 28, 2009 01:04PM

none



Edited 1 time(s). Last edit at 09/02/2009 06:04PM by DontHassleHoff.

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: thornmaker
Date: August 28, 2009 07:09PM

I crafted this response last night but must have forgotten to send it. Let me try and rehash it all... (if you've moved on, that's fine, figured its worth posting still)

You can apparently send arbitrary text into the encryption routine and view the results. This helps a lot in figuring out what's going on. So start by answering these questions:

1) does the length of the input affect the length of the output? is it linear? is the output always a multiple of 8/16/32/etc? is it always a fixed length?

2) do 'close' inputs have 'close' outputs? Is there any relation between the encryption of 'aaaa' and the encryption of 'aaab' for example?

3) what do you get when you encrypt all null bytes (%00%00%00%00)?

4) what do you get when you encrypt 'id is my hero'?

5) what do you get when you encrypt a long long string of all A's (or any fixed letter? are there any repeats in the encrypted text?

6) if you encrypt the same thing twice, are the encrypted texts identical too?



Edited 1 time(s). Last edit at 08/28/2009 07:10PM by thornmaker.

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: Gareth Heyes
Date: August 31, 2009 06:19AM

I know you've probably moved on from this but I'm still messing with it as I'm looking to improve Hackvertor in this area. I've added a new tag called concealed sequences which tries to find patterns of repeating data. Basically I split the base64 data and decode it, then convert the result to charcodes before subtracting from the previous number to reveal any sequence.

http://tinyurl.com/no7vv7

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: What does this encoded data look like to you?
Posted by: rvdh
Date: September 01, 2009 01:56AM

Probably HMAC base64.

Options: ReplyQuote


Sorry, only registered users may post in this forum.