AppSec

Base64 is not encryption

I posted a silly tweet after finding a vulnerability in an Android app the other day.  It grew legs and is making its way around.

 

 

I've gotten a few funny replies, but not as good as the QA tweet - mostly "Well duh" or "It isn't" or "People think that?" So I wanted to write a short explainer.

Base64 looks like encryption.  The nice readable test gets all scrambled up.  For instance the text of the tweet turns into this:

QmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLiBCYXNlNjQgaXMgbm90IGVuY3J5cHRpb24uIEJhc2U2NCBpcyBub3QgZW5jcnlwdGlvbi4gQmFzZTY0IGlzIG5vdCBlbmNyeXB0aW9uLg==

See, not even spaces!  Wild stuff!  But it is not encrypted.  Base64 encoding is a way to turn binary or ANSI files into something that can be transferred over a readable ASCII only medium like the web.  For instance, your binary serialization is like that. If you serialize an object and save it, you'll have unreadable characters in there.  If you base64 encode it, you can save it in a cookie of a web page.  It's super handy, but it is not protected.  The page I used to encode the example above is here:

https://www.base64encode.org/

So to give a concrete example, if you use Apache MyFaces or ASP.NET Web Forms (pre 4.6.2) then your viewstate is just Base64 encoded.  Don't believe me?  View source, find the viewstate, and paste it into the site above.  It will probably decode for you. An attacker can change that data and resubmit, so take care!

To learn even more, check out the OWASP Cryptography cheat sheet.

https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

 

Comments are closed
Mastodon