Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

deactivate encoding for analysis purposes?

Go to solution
Former Member

‎2006 Jul 19 5:12 PM

0 Likes
1,034

Hi security folks,

We have a scanning tool which we successfully use to anaylze development work on web applications. The main purpose is security analysis such as parameter validations etc etc.

The SAP WAS is causing problems for such analysis as the parameters / values are base64 encoded into the path, so the scanner cannot know or test it.

Does anybody know whether and where it is possible (or legal?) to deactivate this encoding, or should we just accept it as a security feature which makes our system safer?

Kind regards,

Julius

1 ACCEPTED SOLUTION
Read only

Go to solution
christian_wippermann
Product and Topic Expert
Product and Topic Expert

‎2006 Jul 20 10:03 AM

0 Likes
985

The base64 encoding is not a security mechanism. It is used to transport special characters in URLs without using URL encoding. I do not know if there is a way to deactivate the b64 encoding but strongly doubt it.

I suppose you are refering to a web application firewall in front of your SAP WAS. Wouldn't it be possible to identify those parameters that are b64 encoded, decode them in the WAF and check the decoded values? As far as I know most of the params are not encoded and can be checked right away.

Cheers,

Christian

9 REPLIES 9
Read only

Go to solution
christian_wippermann
Product and Topic Expert
Product and Topic Expert

‎2006 Jul 20 10:03 AM

0 Likes
986

The base64 encoding is not a security mechanism. It is used to transport special characters in URLs without using URL encoding. I do not know if there is a way to deactivate the b64 encoding but strongly doubt it.

I suppose you are refering to a web application firewall in front of your SAP WAS. Wouldn't it be possible to identify those parameters that are b64 encoded, decode them in the WAF and check the decoded values? As far as I know most of the params are not encoded and can be checked right away.

Cheers,

Christian

Read only

Go to solution
Former Member
In response to christian_wippermann

‎2006 Jul 20 10:40 AM

0 Likes
985

Thanks Christian,

I also have my doubts as OSS returns a note indicating that the government has middled with the topic. (631826 category "legal change")

The scanner is located on the front end and the user navigates around a bit so the scanner can inform itself. The encoding of parameters and values for the same directory makes it think that all URLs are unique paths - > so it cannot go prowling beyond the encoded value.

The idea of the tool is not rocket science, it is used to automate some of the testing / QA (with a bit of help from human intuition) to do a high level check for known errors (scripting, injection, missing input validation etc). Never the less, is there a source on identifying a b64 encoded value and decoding it?

Many thanks for the idea,

Julius

Read only

Go to solution
christian_wippermann
Product and Topic Expert
Product and Topic Expert
In response to christian_wippermann

‎2006 Jul 20 12:03 PM

0 Likes
985

Hi Julius,

If you do semi-automated checks, you should find them. Strings like "Y2t3Lg==" especially if they have one or two equal signs at the end are most probably Base64 (<a href="http://en.wikipedia.org/wiki/Base64">see wikipedia for some detailed explaination</a>).

Be careful that besides alphanumeric characters also "+" and "/" are allowed in b64 encoded values. They will additionally be URL encoded to %2B and %2F. Before you decode b64 you need to URLdecode these values.

For occasional decoding / encoding of base64, you could use the various online tools. Just google for "<a href="http://www.google.de/search?hl=de&q=base64encodedecode&meta=">base64 encode decode</a>".

Hope that helped,

Christian

Read only

Go to solution
Wolfgang_Janzen
Product and Topic Expert
Product and Topic Expert
In response to christian_wippermann

‎2006 Jul 20 1:54 PM

0 Likes
985

Hi Julius,

I'm sorry, but most likely you are on the wrong track.

).

Regards, Wolfgang

Read only

Go to solution
Former Member
In response to christian_wippermann

‎2006 Jul 20 2:16 PM

0 Likes
985

Thank you Wolfgang,

Are mangled URL's a proprietary thing?

Julius

Read only

Go to solution
Wolfgang_Janzen
Product and Topic Expert
Product and Topic Expert
In response to christian_wippermann

‎2006 Jul 24 7:48 AM

0 Likes
985

Definetly - it is even BSP-specific.

Brian McKellar has posted some documents on that topic in SDN. I just do not have the URL at hand ...

Read only

Go to solution
Former Member
In response to christian_wippermann

‎2006 Jul 24 8:46 AM

0 Likes
985

Thank you Wolfgang.

We will try to find the decode_url and figure it out how to use it.

If the effort is worth it I will update the post.

Many thanks,

Julius

Read only

Go to solution
Wolfgang_Janzen
Product and Topic Expert
Product and Topic Expert
In response to christian_wippermann

‎2006 Aug 25 9:20 AM

0 Likes
985

> Are mangled URL's a proprietary thing?

Here's the <a href="/people/brian.mckellar/blog/2003/09/30/bsp-in-depth-url-mangling to Brian's Blog on "Mangled URLs"</a>

Read only

Go to solution
Former Member
In response to christian_wippermann

‎2006 Aug 25 9:38 AM

0 Likes
985

Thank you Wolfgang!

From the blog: <i>"anyone in our group who even thinks about using frames is banished from the office for the day :-).</i>"

Well, it is Friday and the sun is shining...