Cryptography / Base64-Encoded Data in Parameter
Base64-encoded data in parameter is a type of cryptography vulnerability that occurs in Web and API applications. According to Common Weakness Enumeration (CWE) directory, it is classified as CWE-344: Improper Insufficient Cryptographic Validation. This vulnerability is caused when an application fails to validate or restrict the unverified Base64- encoded data within parameters of a web page or API request. This can allow an attacker to inject malicious code into an application or extract sensitive data from the encoded data. As per the OWASP Testing Guide, it is recommended to use a whitelist of valid input characters and compare the encoded data to this list before performing any further processing.
This vulnerability can lead to a malicious code injection, which can compromise the security of the application. It can also lead to data leakage, allowing an attacker to steal sensitive data from the encoded data. According to the CVSS v3.1 scoring system, this vulnerability has a base score of 8.8 and a temporal score of 7.1, making it a critical security issue.
To mitigate this vulnerability, it is recommended to use a whitelist of valid input characters and compare the encoded data to this list before performing any further processing. Additionally, applications should always use strong encryption algorithms and apply the latest security patches.
The following code example is taken from CVE-2020-9145, which is a vulnerability in the Magento e-commerce platform. In this example, an attacker can perform a remote code execution attack by injecting malicious code into the unverified parameter
$data = base64_decode($_POST['data']); eval($data);