February 26, 2011, 2:49 AM

There are some secure applications which provide certain functionality to protect important data. Those applications use algorithms to encode secured data before sending from the client and decoding algorithms to decode data at server side.

There are many algorithms which do encoding and decoding for you. Let us consider one,

Base-64 algorithm encodes the plain text into 64-bit encoded format.

e.g.

1

2

3

4

/*Plain Text: */

"action=INIT&state=ViewTransfer_INIT&txnPayPayRefNumber=000000&txnBatchRefNumber=111111"

/*Encoded Text:*/

"YWN0aW9uPUlOSVQmc3RhdGU9Vmlld1RyYW5zZmVyX0lOSVQmdHhuUGF5UGF5UmVmTnVtYmVyPTAwMDAwMCZ0eG5CYXRjaFJlZk51bWJlcj0xMTExMTE="

Secured applications use this type of encoder to encode data at client side, so that no one can read the important data. Applications use JavaScript to get this done at client side.

When you record the script for this type of applications you will find some random characters in script. If application is sending these random characters in the request body then you should know what these characters stand for. Without decoding that encoded string you cannot correlate them. To correlate them follow the below steps,

• From the generation log find out which encoding algorithm application is using.

• There are many websites available on the internet, which provide online tool for encoding and decoding. E.g. http://www.rbl.jp/base64.php

• Decode the encoded string and do correlation for those values.

• Prepare the exact string using string tokenizer

• Encode the final string and put it in the request.

1

2

3

4

5

6

7

8

9

10

web_custom_request ( "saveParameters.jsp" ,

"URL=https://example.com: saveParameters.jsp" ,

"Method=POST" ,

"TargetFrame=" ,

"Resource=0" ,

"RecContentType=text/html" ,

"Snapshot=t13.inf" ,

"Mode=HTML" ,

"Body=page=ViewTransfer¶ms=YWN0aW9uPUlOSVQmc3RhdGU9Vmlld1RyYW5zZmVyX0lOSVQmdHhuUGF5UGF5UmVmTnVtYmVyPTAwMDAwMCZ0eG5CYXRjaFJlZk51bWJlcj0xMTExMTE=

" , LAST ) ;

Decode the above encoded string and capture the dynamic values accordingly. Create a string with dynamic values and pass it as parameter to the base-64 encoding algorithm function.

Put the below given functions in globals.h

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

#ifndef _GLOBALS_H

#define _GLOBALS_H

/* Include Files*/

#include "lrun.h"

#include "web_api.h"

#include "lrw_custom_body.h"

/* Global Variables*/

#endif // _GLOBALS_H

/*Converting into Base-64 encoding*/

char * convert ( char * src )

{

int dest_size ;

char * deststr ;

/* Allocate dest buffer*/

dest_size = 1 + ( ( strlen ( src ) + 2 ) / 3 * 4 ) ;

deststr = ( char * ) malloc ( dest_size ) ;

memset ( deststr , 0 , dest_size ) ;

base64encode ( src , deststr , dest_size ) ;

return deststr ;

}

void base64encode ( char * src , char * dest , int len )

/* Encodes a buffer to base64*/

{

char base64encode_lut [ ] = {

'A' , 'B' , 'C' , 'D' , 'E' , 'F' , 'G' , 'H' , 'I' , 'J' , 'K' , 'L' , 'M' , 'N' , 'O' , 'P' , 'Q' ,

'R' , 'S' , 'T' , 'U' , 'V' , 'W' , 'X' , 'Y' , 'Z' , 'a' , 'b' , 'c' , 'd' , 'e' , 'f' , 'g' , 'h' ,

'i' , 'j' , 'k' , 'l' , 'm' , 'n' , 'o' , 'p' , 'q' , 'r' , 's' , 't' , 'u' , 'v' , 'w' , 'x' , 'y' ,

'z' , '0' , '1' , '2' , '3' , '4' , '5' , '6' , '7' , '8' , '9' , '+' , '/' , '=' } ;

int i = 0 , slen = strlen ( src ) ;

for ( i = 0 ; i > 0x2 ] ;

* ( dest ++ ) = base64encode_lut [ ( * src & 0x3 ) << 0x4 | ( * ( src + 1 ) & 0xF0 ) >> 0x4 ] ;

* ( dest ++ ) = ( ( i + 1 ) << 0x2 | ( * ( src + 2 ) & 0xC0 ) >> 0x6 ] : '=' ;

* ( dest ++ ) = ( ( i + 2 )

}

* dest = ' \0 ' ; /* Append terminator*/

}

Preparing the query string & passing to base-64 encoding

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

char * getParam ( char * str , char * param1 , char * param2 , char * param3 )

{

char * temp ;

char * src , * target ;

char param [ 200 ] ;

temp = "" ;

src = "" ;

target = "" ;

temp = str ;

strcpy ( param , "" ) ;

strcat ( param , temp ) ;

strcat ( param , param1 ) ;

strcat ( param , "txnPayPayRefNumber=" ) ;

strcat ( param , param2 ) ;

strcat ( param , "txnBatchRefNumber=" ) ;

strcat ( param , param3 ) ;

src = ( char * ) param ;

target = convert ( src ) ;

return target ;

}

Call the above functions as below in the script, capture the return value into a parameter & substitute it.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

lr_save_string ( getParam ( "action=INIT&state=ViewTransfer_" ,

"INIT" ,

lr_eval_string ( "{p_PayPayRefNumber}" ) ,

lr_eval_string ( "{p_BatchRefNumber}" ) ) ,

"param" ) ;

web_custom_request ( "saveParams.jsp" ,

"URL=https://example/saveParams.jsp" ,

"Method=POST" ,

"Resource=0" ,

"RecContentType=text/html" ,

"Referer=https://example.com:8517/ExecPendingTransfer.do" ,

"Snapshot=t13.inf" ,

"Mode=HTML" ,

"Body=page=ViewTransferparams={param}" ,

LAST ) ;

Final string:

action=INIT&state=ViewTransfer_INIT&txnPayPayRefNumber=000000&txnBatchRefNumber=111111