Member Avatar for overwraith

Hey guys, have you ever had an application where it was necessary to stuff a large base 64 string into a ticket tracking application? It's a javascript variable which is being stuffed. I am seeing some strange stuff in one of my work place's web sites. I was wondering if perhaps there was probably just something innocent, like web asm, or something. It doesn't look like JSON or anything. It looks like byte codes or something. (I DID NOT WRITE THIS APPLICATION)

I don't want to post any of the code here since that wouldn't be cool, but I figured I should probably ask about this since it could be a bad thing, and I am new enough that I don't really know what is ok, and what is not when it comes to production code.

I would like to tell somebody, but I tend to be a little bit of an alarmist, so sometimes I don't necessarily trust my own judgement. I would like to not get fired for accidentally flagging something that is just business as usual.

Edited by overwraith because: more context
  • 5 Contributors
  • 5 Replies
  • 271 Views
  • 4 Weeks Discussion Span
  • Latest Post Latest Post by almostbob
Member Avatar for cereal

It doesn't look like JSON or anything. It looks like byte codes or something. (I DID NOT WRITE THIS APPLICATION)

So, you have decoded the base64 string and you're seeing some strange code? What is the variable for? It could be an icon. An easy method to see the contents is to set data:text/plain;base64,STRING HERE into a Google Chrome browser tab, being text/plain the code will not be executed, but if in doubt use an incognito browser window or start a new profile... an example:

data:text/plain;base64,PHNjcmlwdD5hbGVydCgiaGVsbG8iKTs8L3NjcmlwdD4=

Will display:

<script>alert("hello");</script>

Otherwise, you can decode through the base64_decode() PHP function:

<?php

    $str = "PHNjcmlwdD5hbGVydCgiaGVsbG8iKTs8L3NjcmlwdD4=";
    file_put_contents("output.txt", base64_decode($str));

And then check the contents of the output.txt file.

Link: http://php.net/file-put-contents

Once you have the contents, if it's code and you don't recognize what it is, you can use the search engines to try to find some information, just paste a function name or some constants, this engine is a good place to start:

Bye!

Edited by cereal
Member Avatar for rproffitt

Just thinking here. A long time ago we needed to no have plain text just floating around with ticket details. So way way back then we used a single ROT13 on the strings before sending it across the network. I wonder if as simple as that. Don't let plain text details be easy to pick off the apps or across the wire.

Member Avatar for overwraith

Actually I should make my own base 64 decoder app, just in case there's anything sensitive going on. Actually due to the fact that the code has been changing from day to day, that's the more worrying aspect about it. I'll figure it out. I have told people about it. I think some more security is being implemented soon.

Member Avatar for Raul Perez

Tell how to contact you and have a look a that code.

Member Avatar for almostbob

ticket tracking applications, may use barcodes, line or the 2d phone ones
the barcode could be sent embedded as bas64, to ensure no cached version of the barcode, always the same name and size, is used
check
data:text/plain;base64,
data:image/png;base64,
data:image/jpeg;base64,
data:image/gif;base64,

Edited by almostbob
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.