Suspicious/Alarmed/Paranoid??? Kindly assess this...
mr_unreliable
This may be a little O.T., but you are all extremely knowledgable and so
I thought you might be willing provide some help/advice.
When looking through the html source for one of the techie sites that I
had recently visited, I came across the coding listed below.
I became suspicious/alarmed/paranoid??? I say this because it looks
like a very long string of hex code, and because the tag containing the
hex has a "hidden" attribute, it obviously isn't anything intended for
presentation to the viewer. It appears as if somebody is attempting to
download some (potentially nasty) binary code, and maybe install it on
my system (ugh!).
Could you experts take a look at this, and render an opinion, i.e., is
there anything to worry about, or is it all just commonplace innocent fun???
cheers, jw
--- <quote> ---
<input name="__VIEWSTATE" type="hidden"
value="dDwxNzkyMDYyNjQzO3Q8O2w8aTwxPjtpPDU+Oz47bDx0PHA8bDxUZXh0Oz47bDxLb2RlcnMgLSBWaXNWaW0uY3BwOz4+Ozs+O3Q8O2w8aTwzPjtpPDU+Oz47bDx0PDtsPGk8MD47PjtsPHQ8O2w8aTwxPjtpPDc+O2k8OT47aTwxMT47PjtsPHQ8cDxwPGw8TmF2aWdhdGVVcmw7PjtsPC87Pj47PjtsPGk8MD47PjtsPHQ8cDxwPGw8SW1hZ2VVcmw7PjtsPC9za2lucy9rb2RlcnMvbG9nb19tZWQuZ2lmOz4+Oz47Oz47Pj47dDx0PDt0PGk8MzE+O0A8QWxsIExhbmd1YWdlcztBZGE7QVNQO0Fzc2VtYmxlcjtDO0MjO0MrKztDb2xkRnVzaW9uO0RlbHBoaTtFaWZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2YTtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hdGljYTtNYXRsYWI7T2JqZWN0aXZlQztQZXJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCLk5FVDs+O0A8KjtBZGE7QVNQO0Fzc2VtYmxlcjtDO0MjO0NwcDtDb2xkRnVzaW9uO0RlbHBoaTtFaWZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2YTtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hdGljYTtNYXRsYWI7T2JqZWN0aXZlQztQZXJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCLk5FVDs+Pjs+Ozs+O3Q8dDw7dDxpPDIxPjtAPEFsbCBMaWNlbnNlcztBRkw7QUwyMDtBU0w7QVBTTDtCU0Q7Q1BMO0dQTDtMR1BMO0lCTVBMO0lPU0w7TVBMMT
A7TVBMMTE7TlBMMTA7TlBMMTE7T1NMO1BTRkw7U1BMO1czQztaTEw7WlBMOz47QDwqO0FGTDtBTDIwO0FTTDtBUFNMO0JTRDtDUEw7R1BMO0xHUEw7SUJNUEw7SU9TTDtNUEwxMDtNUEwxMTtOUEwxMDtOUEwxMTtPU0w7UFNGTDtTUEw7VzNDO1pMTDtaUEw7Pj47Pjs7Pjt0PHA8cDxsPE5hdmlnYXRlVXJsOz47bDwvaW5mby5hc3B4P2M9TGljZW5zZUluZm87Pj47PjtsPGk8MD47PjtsPHQ8cDxsPHNyYzs+O2w8L2ltYWdlcy9pbmZvXzE2LmdpZjs+Pjs7Pjs+Pjs+Pjs+Pjt0PDtsPGk8MD47aTwyPjtpPDM+O2k8NT47aTw3Pjs+O2w8dDxwPHA8bDxJbWFnZVVybDtUb29sVGlwOz47bDwvaW1hZ2VzL2Rvd25sb2FkLmdpZjtEb3dubG9hZCBWaXNWaW0uY3BwOz4+Oz47Oz47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MT47Pj47bDxpPDA+Oz47bDx0PDtsPGk8MD47PjtsPHQ8QDxWaXNWaW0uY3BwO0MrKztcZTtcZTtMT0M6IDk0Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MT47Pj47bDxpPDA+Oz47bDx0PDtsPGk8MD47aTwxPjtpPDI+Oz47bDx0PEA8VklNIGlzIGFuIGltcHJvdmVkIHZlcnNpb24gb2YgdGhlIGVkaXRvciAmcXVvdFw7dmkmcXVvdFw7LCBvbmUgb2YgdGhlIHN0YW5kYXJkIHRleHQgZWRpdG9ycyBvbiBVTklYIHN5c3RlbXMuOy9pbmZvLmFzcHg/Yz1Qcm9qZWN0SW5mbyZwaWQ9RTNRMjZaTUxZMjJWR0VaOERVTVRSUFcxMkc7Pjs7Pjt0PDtsPGk8MD47PjtsPHQ8QDx2aW07dmlt
Oz47Oz47Pj47dDxAPFNvdXJjZUZvcmdlO2N2czs+Ozs+Oz4+Oz4+O3Q8O2w8aTwwPjs+O2w8dDw7bDxpPDE+O2k8Mz47aTw1Pjs+O2w8dDxwPHA8bDxOYXZpZ2F0ZVVybDs+O2w8L2luZm8uYXNweD9jPVByb2plY3RJbmZvJnBpZD1FM1EyNlpNTFkyMlZHRVo4RFVNVFJQVzEyRzs+Pjs+O2w8aTwwPjs+O2w8dDxwPHA8bDxJbWFnZVVybDs+O2w8L2ltYWdlcy9mb2xkZXIuZ2lmOz4+Oz47Oz47Pj47dDxwPHA8bDxUZXh0Oz47bDwuLi5lXFx2XFx2aW1cXHZpbVxcdmltXFxzcmNcXFZpc1ZpbVxcOz4+Oz47Oz47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MTI+Oz4+Ozs+Oz4+Oz4+O3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47Pj47Pj47Pj47bDxLb2Rldmlld2VyMTpEb3dubG9hZEJ1dHRvbjs+PkNAJ8asnjVYJzEP0MdCQwakAp4u"
>
--- <end quote> ---
Bob Barrows [MVP]
> hi Groupies,
>
> This may be a little O.T., but you are all extremely knowledgable and
> so I thought you might be willing provide some help/advice.
>
> When looking through the html source for one of the techie sites that
> I had recently visited, I came across the coding listed below.
>
> I became suspicious/alarmed/paranoid??? I say this because it looks
> like a very long string of hex code, and because the tag containing
> the hex has a "hidden" attribute, it obviously isn't anything intended for
> presentation to the viewer. It appears as if somebody is attempting
> to download some (potentially nasty) binary code, and maybe install it on
> my system (ugh!).
>
> Could you experts take a look at this, and render an opinion, i.e., is
> there anything to worry about, or is it all just commonplace innocent
> fun???
> cheers, jw
>
> --- <quote> ---
> <input name="__VIEWSTATE" type="hidden"
Nope. This is the hidden form field used by ASP.Net to persist state between
postbacks. It's neither more nor less dangerous than cookies.
There is nothing executable in there: it's simply encoded and compressed
name/value pairs.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Brian Staff
Brian
mayayana
I don't see why it's necessary to obscure it.
I actually keep a translator script on my desktop
for that mind of thing. Sometimes commercial
websites use base64 to obscure URLs:
Public Function DecodeBase64(Str64)
Dim B1(), B2()
Dim i1, i2, i3, LLen, UNum, s2, sRet
Dim A255(255)
On Error Resume Next
If Not IsArray(ANums) Then
ANums = Array(65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78,
79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102,
103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117,
118, 119, 120, 121, 122, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 43, 47)
End If
For i1 = 0 To 255
A255(i1) = 64
Next
For i1 = 0 To 63
A255(ANums(i1)) = i1
Next
s2 = Replace(Str64, vbCrLf, "")
LLen = Len(s2)
ReDim B1(LLen - 1)
For i1 = 1 to LLen
B1(i1 - 1) = Asc(Mid(s2, i1, 1))
Next
'--B1 is now in-string as array.
ReDim B2((LLen \ 4) * 3 - 1)
i2 = 0
For i1 = 0 To UBound(B1) Step 4
B2(i2) = (A255(B1(i1)) * 4) Or (A255(B1(i1 + 1)) \ 16)
i2 = i2 + 1
B2(i2) = (A255(B1(i1 + 1)) And 15) * 16 Or (A255(B1(i1 + 2)) \ 4)
i2 = i2 + 1
B2(i2) = (A255(B1(i1 + 2)) And 3) * 64 Or A255(B1(i1 + 3))
i2 = i2 + 1
Next
If B1(LLen - 2) = 61 Then
i2 = 2
ElseIf B1(LLen - 1) = 61 Then
i2 = 1
Else
i2 = 0
End If
UNum = UBound(B2) - i2
ReDim Preserve B2(UNum)
For i1 = 0 to UBound(B2)
B2(i1) = Chr(B2(i1))
Next
DecodeBase64 = Join(B2, "")
End Function
Bob Barrows [MVP]
> It is a bit creepy to see that kind of thing.
> I don't see why it's necessary to obscure it.
It's not only encoded, it's also compressed to reduce the size of the page
sent to the browser.
mr_unreliable
and provide a function to decode it.
After using your route to decode that string, it did
appear to be a little more innocent.
But then, not necessarily. After looking up "base64"
it appears that it could be used to download ANYTHING,
onto your system --including malicious and/or binary
code.
cheers, jw
mayayana
> It's not only encoded, it's also compressed to reduce the size of the page
> sent to the browser.
> --
conversion? It seems odd that base64 would come
into it at all in that case, since it adds 33% to the bulk.
mayayana
> But then, not necessarily. After looking up "base64"
> it appears that it could be used to download ANYTHING,
> onto your system --including malicious and/or binary
> code.
Yes. That's how email works. If you open an email
with a GIF attachment, say, as text, then copy and paste
the Base64 into Notepad, and process it with that
function, you'll get your GIF back. I suppose it could
be risky but it makes a handy way to move around
binary data. When used in things like referrer strings
and internal webpage code, though, I can't see it
as anything but secretiveness.
mayayana
"ViewState" and appears to be a sort of cookie
that provides for saving data about the state of a
webpage client-side, within the page, allowing
ASP.NET to retrieve all changeable settings on
controls in the page the next time it's loaded.
The encoding seems to be intended to protect
the integrity of the content from being hacked
en route. I guess it's so that you can't change a
button's text from "Submit" to "Click Here to Receive 1
Million Dollars".....and then click the button and sue
the website .....But perhaps there are more
devious possibilities.
Links here:
http://pluralsight.com/blogs/fritz/archive/2004/06/03/408.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/ht
ml/asp11222001.asp
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/
It's hard to see how Base64 encoding, by itself,
could be any real risk to the client, anyway. It would
just be deciphered by the browser and added to
the page - subject to the same security restraints
as all other webpage content.
And right now it's far more risky to simply view
an image in Internet Explorer:
http://isc.sans.org/diary.php
--
mayaya...@mindXXspring.com
(Remove Xs for return email.)
mr_unreliable <kindlyReply...@notmail.com> wrote in message
news:Oc3ighIE...@tk2msftngp13.phx.gbl...
Bob Barrows [MVP]
Oops - I'm still a dotnet newbie, so I have to go back to the documentaion
to answer this. Let's see ...
"The __VIEWSTATE field, on the other hand, is encoded using a complex hash
scheme and is unreadable to humans. Only allowed applications will be able
to decrypt the __VIEWSTATE field and extract values from its contents."
hmm, I guess my memory is playing tricks on me. Nowhere does the .Net 1.1
documentation mention compressing the data. I think I remember seeing
something about viewstate compression in 2.0, but I don't have time to look
for it now. Maybe later.
Bob Barrows
mayayana
altered beyond just Base64, though. The
Base64 decoding is readable, except for the
end marker, but it also appears that much of the
decoded text is symbolic.
For instance, "l<i<0>" seems to be a statement
that says 3 things in some kind of shorthand.