tag:blogger.com,1999:blog-7122745763234660283.post7276035970145501352..comments2024-02-18T02:36:33.709-08:00Comments on IMQ Minded Security Blog: Fooling B64_Encode(Payload) on WAFs and filtersMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-7122745763234660283.post-42222553093195840182010-04-23T04:49:40.081-07:002010-04-23T04:49:40.081-07:00The final of the history:
it seems that ModSecuri...The final of the history: <br />it seems that ModSecurity people agreed about the too strict implementation of Apache APR base64 decoder.<br />So probably they will give us two B64 decoders:<br />strict and flexible.. <br /><br />I'm very proud and satisfied now! :)<br />@Brian, thanks for the interesting discussion on this topic.Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-47501251458794240412010-04-22T04:31:26.398-07:002010-04-22T04:31:26.398-07:00http://www.ietf.org/rfc/rfc2045.txt
Page 25:
Any c...http://www.ietf.org/rfc/rfc2045.txt<br />Page 25:<br />Any characters outside of the base64 alphabet are to be ignored in base64-encoded data.<br />...<br />That's about the rfc implementation.Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-32439716268191487512010-04-22T01:17:13.999-07:002010-04-22T01:17:13.999-07:00Brian, I didn't see your comment sorry.
You...Brian, I didn't see your comment sorry.<br />You're stating that companies should not rely on modsecurity b64 decoder and that they should add a positive rule?<br /><br />It seems to me a choice for them as well as it is a choice implementing controls on application after the payload is decoded on the correct layer..Minded Securityhttps://www.blogger.com/profile/01503616812076743415noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-79890933084687803952010-04-22T01:09:36.374-07:002010-04-22T01:09:36.374-07:00@thornmaker, thanks.
Altough Noscript actually fi...@thornmaker, thanks.<br /><br />Altough Noscript actually fixed it, it seems they're not going to fix it.<br />http://blog.modsecurity.org/2010/04/impedance-mismatch-and-base64.html <br />Their suggestion is about using a positive rule. <br />I wrote about it 5 years ago (http://www.wisec.it/sectou.php?id=438064b3e5ea4 ) and I still don't see it using correctly on WAFs. <br /><br />My suggestion still remains in implementing good secureSDLC.Stefano Di Paolahttps://www.blogger.com/profile/18241677936736054546noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-47606918005500717122010-04-22T00:55:13.315-07:002010-04-22T00:55:13.315-07:00Yes, endless variations. Please see my response h...Yes, endless variations. Please see my response here:<br /><br />http://blog.modsecurity.org/2010/04/impedance-mismatch-and-base64.htmlBrian Rectanushttps://www.blogger.com/profile/04579246411400625873noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-1876981419626431092010-04-21T20:52:31.919-07:002010-04-21T20:52:31.919-07:00Nice write up! I've often wondered why base64...Nice write up! I've often wondered why base64 decoding is so forgiving. I suppose a good WAF will have to consider all possible variations... ugh.thornmakerhttp://p42.usnoreply@blogger.com