Shopping Cart

No products in the cart.

Getting Started with Base64 Encoding and Decoding

This webcast was originally published on February 18, 2020.

In this video, Jon Strand discusses the intricacies of Base64 encoding and decoding. He explains its necessity for transferring binary data over text-based protocols like HTTP and highlights its use in web application security assessments. The tutorial includes practical demonstrations of encoding and decoding Base64, explaining the significance of padding with equal signs and how to handle errors and special characters in the data stream.

  • Base 64 encoding is primarily used to safely transmit binary data and special characters over protocols designed for text, such as HTTP.
  • The ‘=’ character in Base 64 encoded data indicates padding which helps in achieving the proper length of the data for encoding purposes.
  • Malware often uses Base 64 encoding to alter signatures significantly, which can evade detection by security systems using pattern matching.

Highlights

m

Full Video

Transcript

John Strand

Hello and welcome. My name is Jon Strand and in this video we’re going to be talking about base 64 encoding and decoding. Now the reason why we’re talking about it is once again we have the BHIs cyber range for our customers and friends.

And this is just basically a video to walk people through some of the challenges that utilize base 64. Now the reason why base 64 actually exists is kind of interesting.

Whenever you are transferring binary data or you’re transferring data with special characters, it can be encoded and it can be jarabled, especially whenever you’re dealing with protocols that are designed predominantly for sending text.

For example, if you’re looking at something like HTTP transports a lot of text, and if we start sending binary, we might get into trouble. In fact, we see this all the time, especially with attacks like SQL injection where semicolons get interpreted and get executed.

So this is why protocols like this exist, or different encoding formats like this exist. It allows you to convert things like binary and special character data into something that’s far less benign, like upper lowercase and numbers.

And that’s what we actually get whenever we’re utilizing base 64 as an encoding mechanism. So you’ll see it all the time whenever you’re doing web application security assessments, looking at security parameters and tokens and things of that nature.

So let’s play around a little bit with encoding and decoding base 64 and then some of the little challenges that you’re going to run into. Now in my example that I have up on my screen, we’re going to be playing around with, I’m sure that there’s a better way to do this.

And I got 434343 or capital C. Capital C, Capital C in Hex, but we’re not at that video yet. And we’re going to pipe it through base 64 and that’s going to encode it.

And as you can see, we have the Im sure in the space and all that has been replaced with what looks like gibberish, but it’s pretty much not malicious gibberish or mostly not malicious gibberish, I suppose.

So it allows it to, encode it in a way that it’s easily transferred over clear text or plain text protocols. Now one of the things you’ll notice is sometimes with base 64 or a lot of the times it will end with equals equals.

And that has to do with padding. If your character set that’s coming in doesn’t land perfectly on the boundaries that base 64 is looking for, it’ll actually pad it. So many times a telltale giveaway are the equal signs at the end, one or two.

Now, sometimes there won’t be any that will happen. That means the text landed on a perfect boundary and that’s okay, but it’s just something to look for. It’s a quick and dirty trick.

Now if we actually want to decode base 64 encoded data, we can in fact do that. Let me bounce out here and I’m just going to use straight up base 64, decode.

Now, I utilized a switch here. You can see I did the decode switch switch, and now whenever I hit enter, it’s going to try to decode it and it’s going to freak out.

You can see right here it says, I’m sure there is a. And then it goes base 64 invalid input. The reason why is I snuck in a couple of special characters in the middle of the base 64 encoded string.

Now why would anybody ever do that? Well, a lot of malware actually uses base 64. The reason why is very slight changes can actually alter signatures in a much more significant way whenever you’re doing signature pattern matching within an executable.

So what some crafty attackers will do is they’ll actually slip special characters in their base 64 encoded stream. And in doing that, any type of firewall or ids that’s using deep packet inspection to analyze that base 64 encoded data will start throwing errors.

Base could be like, hm, there’s something wrong here. Now if you’re dealing with a string that has base 64 and it throws in some special characters, you can throw in the minus I switch.

And what the minus I switch does is it tells base 64, ignore garbage. You’re going to decode this base 64 encoded string. And if you come across something that you don’t quite understand, just don’t worry, ignore it.

Pretend it never existed, pretend that it never happened. And as you can see, it actually cleans up the output substantially in doing that.

So once again, this is used in the Black Hills information security cyber range. And if you like it for base 64 encoding and decoding data. Thank you. so check us out every single Wednesday on Enterprise security weekly and be sure to hit the subscribe button down below.

We do tons of videos and tons of free education and webcasts at Black Hills infosec, and I hope to see you on one of our videos or webcasts in the very near future. Thank you so much and take care.

This episode was brought to you by Black Hills Information security, specializing in pen testing, red teaming, threat hunting, webcast, open source tools and blogs. It was also brought to you by AI hunter from active countermeasures.

The AI stands for actual intelligence.

Need a threat hunting solution for the network? Check out AI Hunter. It is also brought to you by Wild West Hack and Fest, currently offering conferences in San Diego and Denwood, South Dakota. To check out the schedule on the speaker lineup, check out wildwesthackinfest.com.