base64Decode behaviour against payload which contain + and /

[touchweb-vincent]

Hello,

It might be impossible, but if someone has some time to spare, your help would be greatly appreciated.

We are currently working with the following payload:

PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRQoKd2JsUXRnTFJZCQkJCVsgPCFFTEVNRU5UIHdibFF0Z0xSWSBBTlk+PCFFTlRJVFkKDQoNCg0lCg1GcXhaWUxQIFNZU1RFTQoNCg0KDQoNCg0iZmlsZTovLzBwMEdUbTk0M0lCMjhyTiI+ICVGcXhaWUxQOyAlRVVBaGFYSFk7IF0+PHdibFF0Z0xSWT4mcEtCcGJXbDs8L3dibFF0Z0xSWT4=

This is a random XXE payload encoded in Base64. Note the presence of / and + characters in the payload.

The issue arises when mod_security2 on Apache2 processes it during phase 2. At this stage, the + characters are automatically converted into spaces, which corrupts the Base64 sequence and causes the base64Decode transformation to fail.

We cannot apply transformations like t:urlEncode, as they would encode the / and = characters, further corrupting the Base64 sequence.

Do you have any suggestions on how to properly handle this without resorting to a custom exec solution (as described in the ModSecurity reference manual)?

Please, do not reply by telling us that handling high-entropy payloads is a bottomless pit—we know. There might be no solution and it's okay.

Thank you

Vincent

[airween]

Hi @touchweb-vincent,

so the mentioned base64 encoded string above is in the URL as a GET parameter? Or is that a POST variable?

[touchweb-vincent]

Hi @airween, we did our tests with a POST variable :

curl -v 'https://X' -d 'id=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRQoKd2JsUXRnTFJZCQkJCVsgPCFFTEVNRU5UIHdibFF0Z0xSWSBBTlk+PCFFTlRJVFkKDQoNCg0lCg1GcXhaWUxQIFNZU1RFTQoNCg0KDQoNCg0iZmlsZTovLzBwMEdUbTk0M0lCMjhyTiI+ICVGcXhaWUxQOyAlRVVBaGFYSFk7IF0+PHdibFF0Z0xSWT4mcEtCcGJXbDs8L3dibFF0Z0xSWT4='

[airween]

Thanks - we'll try to figure out something.