Cookies can be base64 encode. So if I capture pcap, does there any way, I can tell that cookie is base64 encoded? The rationale here is that, one cannot tell seeing the padding (=) sign, that it is base64 encoded, there cannot be any padding. Does cookie format supports the way to tell, if it is encoded, like we have in URI.
Asked
Active
Viewed 6,128 times
0
-
1If it looks like a random bunch of alphanumeric characters with occasional `/` and `+` interspersed, it's most likely base64. Period. – John Dvorak Feb 13 '13 at 11:41
-
You can even apply that logic in code. – John Dvorak Feb 13 '13 at 11:43
-
Yes the issue is how you distinguish between legitimate traffic and encoded traffic. – Anant Feb 13 '13 at 12:02
1 Answers
1
If characters in the value of the cookie are in the range of the Base64 value set then it can be Base64 encoded, you should also check the length, because it must be multiplies of 4.
KARASZI István
- 28,974
- 8
- 95
- 116
-
That would be performance hit intensive. Isnt there any other way, apart for parsing the string and checking the bounrdy conditions – Anant Feb 13 '13 at 12:01
-
1It's just one regexp. Check out this answer: http://stackoverflow.com/a/475217/221213 – KARASZI István Feb 13 '13 at 13:22