Page tree

Michael O'Brien

Skip to end of metadata
Go to start of metadata

JIRAs

BIOMETRIC-9 - Getting issue details... STATUS

Analysis

Base64 encoded URL query parameters

When a REST api uses GET instead of POST to hide the query parameters - another method to obfuscate the key value pairs is to base64 encode/decode them in a servlet filter chain.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs

Spring Boot Query Parameter Support

Add a filter





http://127.0.0.1:8080/nbi/api?action=test
@Controller
@RequestMapping("/api")
// http://localhost:8080/nbi/api?action=test
public class ApiController { @RequestMapping(method=RequestMethod.GET)
    public @ResponseBody Api process(
    		@RequestParam(value="action", required=true, defaultValue="undefined") String action,
    		 HttpServletRequest request) {




Design

DI 1: Modifying the request query parameters in a filter

https://www.baeldung.com/spring-reading-httpservletrequest-multiple-times

Implementation

    /**
     * MapReduce: split a string on & into a list and then each entry on the = delimiter into a map
     * execution=e1s1&action=test = ZXhlY3V0aW9uPWUxczEmYWN0aW9uPXRlc3Q=
     */
    private Map<Object, Object> parseParameters(String decoded) {
    	Map<Object, Object> map = Stream.of(decoded
    			.split("&"))
				.map(elem -> new String(elem))
				.collect(Collectors.toList())
				.stream()
    			.map(s -> s.split("="))
    			.collect(Collectors.toMap(a -> a[0], a -> a[1]));
    	map.entrySet().stream()
    		.forEach(e -> LOG.info("Attribute: " + e.getKey() + "=" + e.getValue()));
    	return map;
    }


Testing

http://127.0.0.1:8080/nbi/api?ZXhlY3V0aW9uPWUxczE=

2020-02-17 16:01:00.880  INFO 82380 --- [nio-8080-exec-1] c.c.reference.nbi.Base64Filter           : Pre request querystring: ZXhlY3V0aW9uPWUxczE=
2020-02-17 16:01:00.880  INFO 82380 --- [nio-8080-exec-1] c.c.reference.nbi.Base64Filter           : encoded: ZXhlY3V0aW9uPWUxczE=
2020-02-17 16:01:00.880  INFO 82380 --- [nio-8080-exec-1] c.c.reference.nbi.Base64Filter           : decoded: execution=e1s1
2020-02-17 16:01:00.881  INFO 82380 --- [nio-8080-exec-1] c.c.reference.nbi.ApiController          : cloud.containerization.reference.nbi.ApiController 1 PASS cloud.containerization.reference.nbi.ApiController remoteAddr: 127.0.0.1 localAddr: 127.0.0.1 remoteHost: 127.0.0.1 serverName: 127.0.0.1 parameter::action=undefined
2020-02-17 16:01:00.883  INFO 82380 --- [nio-8080-exec-1] c.c.reference.nbi.Base64Filter           : Post request: /nbi/api


Links

A JVM replacement for Apache's mod_proxy https://tuckey.org/urlrewrite/

  • No labels