This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to check for XSS which is in base64 encoded format

Posted on 10-22-2018 06:27 AM
uditverma
New Member
Reply posted on --/--/---- --:-- AM

We have a requirement to check if the payload attribute is XSS attack (for eg. <script>alert('XSS')</script> in base64 format it will be 'PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='). The attribute content is in base64 format. We want to check for HTTP special characters if its present then discard the attribute content. Can someone please help.

0 1 3,001
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I suppose you will need to base64 decode the content, and THEN check it against a regex.

The attached proxy shows how you could do that.

regex-protection-after-base64-decode.zip

Basically you can use an AssignMessage to decode it, and then just use your normal regex policy on the variable. Like this

<AssignMessage name='AM-Decode'>
  <DisplayName>AM-Decode</DisplayName>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <AssignVariable>
    <Name>decoded_content</Name>
    <Template>{decodeBase64(message.content)}</Template>
  </AssignVariable>
</AssignMessage>

And then

<RegularExpressionProtection name="RegularExpressionProtection-1">
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <Variable name="decoded_content">
    <Pattern><![CDATA[(?i)(.*?(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)]]></Pattern>
  </Variable>
</RegularExpressionProtection>
regex-protection-after-base64-decode.zip
0 Likes