search

Part 4 – Encoded Data and Exfiltration (Base64)

Handle base64 payloads for environments where multipart isn’t feasible (XSS/SSRF).

hashtag
Learning Objectives

  • Explain why base64 encoding is useful for constrained vectors (XSS, SSRF).

  • Implement GET- and POST-based encoded exfil endpoints with clear error semantics.

  • Design predictable artifact naming when the client doesn’t send a filename.

hashtag
Goals

  • Implement a GET-based exfil endpoint GET /exfil?q=<b64>&filename=....

  • Implement a POST-based JSON variant for encoded uploads.

  • Decode safely; write artifacts predictably.

hashtag
Key Terms

  • Base64: Binary-to-text encoding safe for URLs and JSON payloads.

  • 400 Bad Request: Malformed or missing parameters; client must fix input.

  • UTC Timestamp: Unambiguous time format for artifact names and logs.

hashtag
What You’ll Build

  • /exfil (GET) and /upload-encoded (POST JSON) with explicit outcomes.

hashtag
Sections

  • Why Base64: Transport-compatibility in constrained vectors (XSS, SSRF).

  • Decoding Path: Validate input → decode → write bytes → return 2xx/4xx.

  • Naming Strategy: IP + timestamp fallback; reader-provided filename.

  • Error Handling: Malformed base64 → explicit 400; missing params.

  • Milestone: Exfil works with curl; artifacts reproducible on disk.

  • Security Notes: Input sizes, log redaction, directory traversal avoidance.

hashtag
Exercises

  • Attempt malformed input; confirm correct error and logs.

  • Compare GET vs POST behavior and logging footprint.

hashtag
What’s Next

  • Add one-shot limits, callbacks, and lifecycle shutdown.

PreviousPart 3 – Accepting Uploads (multipart/form-data)NextPart 5 – Limits, Callbacks, and Lifecycle Shutdown

Last updated