search

Part 4 – Encoded Data and Exfiltration (Base64)

Handle base64 payloads for environments where multipart isn’t feasible (XSS/SSRF).

hashtag
Goals

  • Implement a GET-based exfil endpoint GET /exfil?q=<b64>&filename=....

  • Implement a POST-based JSON variant for encoded uploads.

  • Decode safely; write artifacts predictably.

hashtag
What You’ll Build

  • /exfil (GET) and /upload-encoded (POST JSON) with explicit outcomes.

hashtag
Sections

  • Why Base64: Transport-compatibility in constrained vectors (XSS, SSRF).

  • Decoding Path: Validate input → decode → write bytes → return 2xx/4xx.

  • Naming Strategy: IP + timestamp fallback; reader-provided filename.

  • Error Handling: Malformed base64 → explicit 400; missing params.

  • Milestone: Exfil works with curl; artifacts reproducible on disk.

  • Security Notes: Input sizes, log redaction, directory traversal avoidance.

hashtag
Exercises

  • Attempt malformed input; confirm correct error and logs.

  • Compare GET vs POST behavior and logging footprint.

hashtag
What’s Next

  • Add one-shot limits, callbacks, and lifecycle shutdown.

PreviousAppendix – Testing, Troubleshooting, and HardeningNextPart 5 – Limits, Callbacks, and Lifecycle Shutdown

Last updated