Base-64 encoded text

ID

base64

Severity

info

Vendor

-

Family

Generic secret

Description

This detector reports base-64 encoded strings that have enough entropy per character. This should be used only when the findings are relevant for auditing any suspicious hardcoded base-64 string.

This detector does not analyse the context (variable or function call surrounding the base-64 string).

Security

In certain cases, secrets not matched by other detectors can be detected here, but it is recommended to audit the finding.

Please note that malicious code is often obfuscated by encryption or other techniques and then base-64 encoded for trying to hide it from code reviews. So long base-64 strings, when not for a good reason, could be a hint of a potential backdoor or malware.

Examples

source_code = 'PHN2Zy9vbmxvYWQ9c2V0SW50ZXJ2YWwoZnVuY3Rpb24oKXt3aXRoKGRvY3VtZW50KWJvZHkuYXBwZW5kQ2hpbGQoY3JlYXRlRWxlbWVudCgic2NyaXB0IikpLnNyYz0iLy8xNzEuMjI0LjE4MS4xMDY6NDg0OCJ9LDk5OSk+';

Mitigation / Fix

  1. Audit the finding to make sure that the string has intended usages.

  2. If needed, remove the string from the source code or committed configuration file.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

  4. If the string corresponds to a secret, follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

  5. If the string corresponds to malicious code, follow your policy for security incident handling, including patching and disclosure. Analyze the issue, prepare containment, eradication and recovery, assess damage and severity, and report the incident with appropriate disclosure practices.