Suspicious/Alarmed/Paranoid??? Kindly assess this...

hi Groupies,

This may be a little O.T., but you are all extremely knowledgable and so
I thought you might be willing provide some help/advice.

When looking through the html source for one of the techie sites that I
had recently visited, I came across the coding listed below.

I became suspicious/alarmed/paranoid??? I say this because it looks
like a very long string of hex code, and because the tag containing the
hex has a "hidden" attribute, it obviously isn't anything intended for
presentation to the viewer. It appears as if somebody is attempting to
download some (potentially nasty) binary code, and maybe install it on
my system (ugh!).

Could you experts take a look at this, and render an opinion, i.e., is
there anything to worry about, or is it all just commonplace innocent fun???

cheers, jw

--- <quote> ---
<input name="__VIEWSTATE" type="hidden"
value="dDwxNzkyMDYyNjQzO3Q8O2w8aTwxPjtpPDU+Oz47bDx0PHA8bDxUZXh0Oz47bDxLb2RlcnMgLSBWaXNWaW0uY3BwOz4+Ozs+O3Q8O2w8aTwzPjtpPDU+Oz47bDx0PDtsPGk8MD47PjtsPHQ8O2w8aTwxPjtpPDc+O2k8OT47aTwxMT47PjtsPHQ8cDxwPGw8TmF2aWdhdGVVcmw7PjtsPC87Pj47PjtsPGk8MD47PjtsPHQ8cDxwPGw8SW1hZ2VVcmw7PjtsPC9za2lucy9rb2RlcnMvbG9nb19tZWQuZ2lmOz4+Oz47Oz47Pj47dDx0PDt0PGk8MzE+O0A8QWxsIExhbmd1YWdlcztBZGE7QVNQO0Fzc2VtYmxlcjtDO0MjO0MrKztDb2xkRnVzaW9uO0RlbHBoaTtFaWZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2YTtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hdGljYTtNYXRsYWI7T2JqZWN0aXZlQztQZXJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCLk5FVDs+O0A8KjtBZGE7QVNQO0Fzc2VtYmxlcjtDO0MjO0NwcDtDb2xkRnVzaW9uO0RlbHBoaTtFaWZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2YTtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hdGljYTtNYXRsYWI7T2JqZWN0aXZlQztQZXJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCLk5FVDs+Pjs+Ozs+O3Q8dDw7dDxpPDIxPjtAPEFsbCBMaWNlbnNlcztBRkw7QUwyMDtBU0w7QVBTTDtCU0Q7Q1BMO0dQTDtMR1BMO0lCTVBMO0lPU0w7TVBMMT
A7TVBMMTE7TlBMMTA7TlBMMTE7T1NMO1BTRkw7U1BMO1czQztaTEw7WlBMOz47QDwqO0FGTDtBTDIwO0FTTDtBUFNMO0JTRDtDUEw7R1BMO0xHUEw7SUJNUEw7SU9TTDtNUEwxMDtNUEwxMTtOUEwxMDtOUEwxMTtPU0w7UFNGTDtTUEw7VzNDO1pMTDtaUEw7Pj47Pjs7Pjt0PHA8cDxsPE5hdmlnYXRlVXJsOz47bDwvaW5mby5hc3B4P2M9TGljZW5zZUluZm87Pj47PjtsPGk8MD47PjtsPHQ8cDxsPHNyYzs+O2w8L2ltYWdlcy9pbmZvXzE2LmdpZjs+Pjs7Pjs+Pjs+Pjs+Pjt0PDtsPGk8MD47aTwyPjtpPDM+O2k8NT47aTw3Pjs+O2w8dDxwPHA8bDxJbWFnZVVybDtUb29sVGlwOz47bDwvaW1hZ2VzL2Rvd25sb2FkLmdpZjtEb3dubG9hZCBWaXNWaW0uY3BwOz4+Oz47Oz47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MT47Pj47bDxpPDA+Oz47bDx0PDtsPGk8MD47PjtsPHQ8QDxWaXNWaW0uY3BwO0MrKztcZTtcZTtMT0M6IDk0Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MT47Pj47bDxpPDA+Oz47bDx0PDtsPGk8MD47aTwxPjtpPDI+Oz47bDx0PEA8VklNIGlzIGFuIGltcHJvdmVkIHZlcnNpb24gb2YgdGhlIGVkaXRvciAmcXVvdFw7dmkmcXVvdFw7LCBvbmUgb2YgdGhlIHN0YW5kYXJkIHRleHQgZWRpdG9ycyBvbiBVTklYIHN5c3RlbXMuOy9pbmZvLmFzcHg/Yz1Qcm9qZWN0SW5mbyZwaWQ9RTNRMjZaTUxZMjJWR0VaOERVTVRSUFcxMkc7Pjs7Pjt0PDtsPGk8MD47PjtsPHQ8QDx2aW07dmlt
Oz47Oz47Pj47dDxAPFNvdXJjZUZvcmdlO2N2czs+Ozs+Oz4+Oz4+O3Q8O2w8aTwwPjs+O2w8dDw7bDxpPDE+O2k8Mz47aTw1Pjs+O2w8dDxwPHA8bDxOYXZpZ2F0ZVVybDs+O2w8L2luZm8uYXNweD9jPVByb2plY3RJbmZvJnBpZD1FM1EyNlpNTFkyMlZHRVo4RFVNVFJQVzEyRzs+Pjs+O2w8aTwwPjs+O2w8dDxwPHA8bDxJbWFnZVVybDs+O2w8L2ltYWdlcy9mb2xkZXIuZ2lmOz4+Oz47Oz47Pj47dDxwPHA8bDxUZXh0Oz47bDwuLi5lXFx2XFx2aW1cXHZpbVxcdmltXFxzcmNcXFZpc1ZpbVxcOz4+Oz47Oz47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MTI+Oz4+Ozs+Oz4+Oz4+O3Q8cDxsPFZpc2libGU7PjtsPG88Zj47Pj47Oz47Pj47Pj47Pj47bDxLb2Rldmlld2VyMTpEb3dubG9hZEJ1dHRvbjs+PkNAJ8asnjVYJzEP0MdCQwakAp4u"
>
--- <end quote> ---

Bob
Tue Jan 03 11:22:38 CST 2006

mr_unreliable wrote:
> hi Groupies,
>
> This may be a little O.T., but you are all extremely knowledgable and
> so I thought you might be willing provide some help/advice.
>
> When looking through the html source for one of the techie sites that
> I had recently visited, I came across the coding listed below.
>
> I became suspicious/alarmed/paranoid??? I say this because it looks
> like a very long string of hex code, and because the tag containing
> the hex has a "hidden" attribute, it obviously isn't anything intended for
> presentation to the viewer. It appears as if somebody is attempting
> to download some (potentially nasty) binary code, and maybe install it on
> my system (ugh!).
>
> Could you experts take a look at this, and render an opinion, i.e., is
> there anything to worry about, or is it all just commonplace innocent
> fun???
> cheers, jw
>
> --- <quote> ---
> <input name="__VIEWSTATE" type="hidden"

Nope. This is the hidden form field used by ASP.Net to persist state between
postbacks. It's neither more nor less dangerous than cookies.

There is nothing executable in there: it's simply encoded and compressed
name/value pairs.

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Brian
Tue Jan 03 12:30:36 CST 2006

Welcome to dotNET<g> and I think that "somebody" is Microsoft.

Brian

mayayana
Tue Jan 03 13:10:55 CST 2006

It is a bit creepy to see that kind of thing.
I don't see why it's necessary to obscure it.
I actually keep a translator script on my desktop
for that mind of thing. Sometimes commercial
websites use base64 to obscure URLs:

Public Function DecodeBase64(Str64)
Dim B1(), B2()
Dim i1, i2, i3, LLen, UNum, s2, sRet
Dim A255(255)
On Error Resume Next
If Not IsArray(ANums) Then
ANums = Array(65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78,
79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102,
103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117,
118, 119, 120, 121, 122, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 43, 47)
End If

For i1 = 0 To 255
A255(i1) = 64
Next
For i1 = 0 To 63
A255(ANums(i1)) = i1
Next
s2 = Replace(Str64, vbCrLf, "")
LLen = Len(s2)
ReDim B1(LLen - 1)
For i1 = 1 to LLen
B1(i1 - 1) = Asc(Mid(s2, i1, 1))
Next

'--B1 is now in-string as array.
ReDim B2((LLen \ 4) * 3 - 1)
i2 = 0
For i1 = 0 To UBound(B1) Step 4
B2(i2) = (A255(B1(i1)) * 4) Or (A255(B1(i1 + 1)) \ 16)
i2 = i2 + 1
B2(i2) = (A255(B1(i1 + 1)) And 15) * 16 Or (A255(B1(i1 + 2)) \ 4)
i2 = i2 + 1
B2(i2) = (A255(B1(i1 + 2)) And 3) * 64 Or A255(B1(i1 + 3))
i2 = i2 + 1
Next
If B1(LLen - 2) = 61 Then
i2 = 2
ElseIf B1(LLen - 1) = 61 Then
i2 = 1
Else
i2 = 0
End If
UNum = UBound(B2) - i2
ReDim Preserve B2(UNum)
For i1 = 0 to UBound(B2)
B2(i1) = Chr(B2(i1))
Next
DecodeBase64 = Join(B2, "")
End Function

Bob
Tue Jan 03 13:15:57 CST 2006

mayayana wrote:
> It is a bit creepy to see that kind of thing.
> I don't see why it's necessary to obscure it.

It's not only encoded, it's also compressed to reduce the size of the page
sent to the browser.
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

mr_unreliable
Tue Jan 03 13:36:21 CST 2006

It was impressive of you to recognize that as "base64",
and provide a function to decode it.

After using your route to decode that string, it did
appear to be a little more innocent.

But then, not necessarily. After looking up "base64"
it appears that it could be used to download ANYTHING,
onto your system --including malicious and/or binary
code.

cheers, jw

mayayana wrote:
> It is a bit creepy to see that kind of thing.
> I don't see why it's necessary to obscure it.
> I actually keep a translator script on my desktop
> for that mind of thing. Sometimes commercial
> websites use base64 to obscure URLs:

mayayana
Tue Jan 03 17:23:19 CST 2006

>
> It's not only encoded, it's also compressed to reduce the size of the page
> sent to the browser.
> --
Interesting. You mean it's compressed *after*
conversion? It seems odd that base64 would come
into it at all in that case, since it adds 33% to the bulk.

mayayana
Tue Jan 03 17:28:07 CST 2006



> But then, not necessarily. After looking up "base64"
> it appears that it could be used to download ANYTHING,
> onto your system --including malicious and/or binary
> code.

Yes. That's how email works. If you open an email
with a GIF attachment, say, as text, then copy and paste
the Base64 into Notepad, and process it with that
function, you'll get your GIF back. I suppose it could
be risky but it makes a handy way to move around
binary data. When used in things like referrer strings
and internal webpage code, though, I can't see it
as anything but secretiveness.

mayayana
Tue Jan 03 21:01:12 CST 2006

I came across some interesting links. It's called
"ViewState" and appears to be a sort of cookie
that provides for saving data about the state of a
webpage client-side, within the page, allowing
ASP.NET to retrieve all changeable settings on
controls in the page the next time it's loaded.

The encoding seems to be intended to protect
the integrity of the content from being hacked
en route. I guess it's so that you can't change a
button's text from "Submit" to "Click Here to Receive 1
Million Dollars".....and then click the button and sue
the website .....But perhaps there are more
devious possibilities.

Links here:

http://pluralsight.com/blogs/fritz/archive/2004/06/03/408.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/ht
ml/asp11222001.asp
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/


It's hard to see how Base64 encoding, by itself,
could be any real risk to the client, anyway. It would
just be deciphered by the browser and added to
the page - subject to the same security restraints
as all other webpage content.

And right now it's far more risky to simply view
an image in Internet Explorer:
http://isc.sans.org/diary.php
--
mayayanaXX1a@mindXXspring.com
(Remove Xs for return email.)
mr_unreliable <kindlyReplyToNewsgroup@notmail.com> wrote in message
news:Oc3ighIEGHA.3200@tk2msftngp13.phx.gbl...
> hi Groupies,
>
> This may be a little O.T., but you are all extremely knowledgable and so
> I thought you might be willing provide some help/advice.
>
> When looking through the html source for one of the techie sites that I
> had recently visited, I came across the coding listed below.
>
> I became suspicious/alarmed/paranoid??? I say this because it looks
> like a very long string of hex code, and because the tag containing the
> hex has a "hidden" attribute, it obviously isn't anything intended for
> presentation to the viewer. It appears as if somebody is attempting to
> download some (potentially nasty) binary code, and maybe install it on
> my system (ugh!).
>
> Could you experts take a look at this, and render an opinion, i.e., is
> there anything to worry about, or is it all just commonplace innocent
fun???
>
> cheers, jw
>
> --- <quote> ---
> <input name="__VIEWSTATE" type="hidden"
>
value="dDwxNzkyMDYyNjQzO3Q8O2w8aTwxPjtpPDU+Oz47bDx0PHA8bDxUZXh0Oz47bDxLb2Rlc
nMgLSBWaXNWaW0uY3BwOz4+Ozs+O3Q8O2w8aTwzPjtpPDU+Oz47bDx0PDtsPGk8MD47PjtsPHQ8O
2w8aTwxPjtpPDc+O2k8OT47aTwxMT47PjtsPHQ8cDxwPGw8TmF2aWdhdGVVcmw7PjtsPC87Pj47P
jtsPGk8MD47PjtsPHQ8cDxwPGw8SW1hZ2VVcmw7PjtsPC9za2lucy9rb2RlcnMvbG9nb19tZWQuZ
2lmOz4+Oz47Oz47Pj47dDx0PDt0PGk8MzE+O0A8QWxsIExhbmd1YWdlcztBZGE7QVNQO0Fzc2VtY
mxlcjtDO0MjO0MrKztDb2xkRnVzaW9uO0RlbHBoaTtFaWZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2Y
TtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hdGljYTtNYXRsYWI7T2JqZWN0aXZlQztQZ
XJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCL
k5FVDs+O0A8KjtBZGE7QVNQO0Fzc2VtYmxlcjtDO0MjO0NwcDtDb2xkRnVzaW9uO0RlbHBoaTtFa
WZmZWw7RXJsYW5nO0ZvcnRyYW47SmF2YTtKYXZhU2NyaXB0O0pTUDtMaXNwO0x1YTtNYXRoZW1hd
GljYTtNYXRsYWI7T2JqZWN0aXZlQztQZXJsO1BIUDtQcm9sb2c7UHl0aG9uO1J1Ynk7U2NoZW1lO
1NtYWxsdGFsaztTUUw7VGNsO1ZCO1ZCLk5FVDs+Pjs+Ozs+O3Q8dDw7dDxpPDIxPjtAPEFsbCBMa
WNlbnNlcztBRkw7QUwyMDtBU0w7QVBTTDtCU0Q7Q1BMO0dQTDtMR1BMO0lCTVBMO0lPU0w7TVBMM
T
>
A7TVBMMTE7TlBMMTA7TlBMMTE7T1NMO1BTRkw7U1BMO1czQztaTEw7WlBMOz47QDwqO0FGTDtBTD
IwO0FTTDtBUFNMO0JTRDtDUEw7R1BMO0xHUEw7SUJNUEw7SU9TTDtNUEwxMDtNUEwxMTtOUEwxMD
tOUEwxMTtPU0w7UFNGTDtTUEw7VzNDO1pMTDtaUEw7Pj47Pjs7Pjt0PHA8cDxsPE5hdmlnYXRlVX
JsOz47bDwvaW5mby5hc3B4P2M9TGljZW5zZUluZm87Pj47PjtsPGk8MD47PjtsPHQ8cDxsPHNyYz
s+O2w8L2ltYWdlcy9pbmZvXzE2LmdpZjs+Pjs7Pjs+Pjs+Pjs+Pjt0PDtsPGk8MD47aTwyPjtpPD
M+O2k8NT47aTw3Pjs+O2w8dDxwPHA8bDxJbWFnZVVybDtUb29sVGlwOz47bDwvaW1hZ2VzL2Rvd2
5sb2FkLmdpZjtEb3dubG9hZCBWaXNWaW0uY3BwOz4+Oz47Oz47dDxwPGw8XyFJdGVtQ291bnQ7Pj
tsPGk8MT47Pj47bDxpPDA+Oz47bDx0PDtsPGk8MD47PjtsPHQ8QDxWaXNWaW0uY3BwO0MrKztcZT
tcZTtMT0M6IDk0Oz47Oz47Pj47Pj47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MT47Pj47bDxpPD
A+Oz47bDx0PDtsPGk8MD47aTwxPjtpPDI+Oz47bDx0PEA8VklNIGlzIGFuIGltcHJvdmVkIHZlcn
Npb24gb2YgdGhlIGVkaXRvciAmcXVvdFw7dmkmcXVvdFw7LCBvbmUgb2YgdGhlIHN0YW5kYXJkIH
RleHQgZWRpdG9ycyBvbiBVTklYIHN5c3RlbXMuOy9pbmZvLmFzcHg/Yz1Qcm9qZWN0SW5mbyZwaW
Q9RTNRMjZaTUxZMjJWR0VaOERVTVRSUFcxMkc7Pjs7Pjt0PDtsPGk8MD47PjtsPHQ8QDx2aW07dm
lt
>
Oz47Oz47Pj47dDxAPFNvdXJjZUZvcmdlO2N2czs+Ozs+Oz4+Oz4+O3Q8O2w8aTwwPjs+O2w8dDw7
bDxpPDE+O2k8Mz47aTw1Pjs+O2w8dDxwPHA8bDxOYXZpZ2F0ZVVybDs+O2w8L2luZm8uYXNweD9j
PVByb2plY3RJbmZvJnBpZD1FM1EyNlpNTFkyMlZHRVo4RFVNVFJQVzEyRzs+Pjs+O2w8aTwwPjs+
O2w8dDxwPHA8bDxJbWFnZVVybDs+O2w8L2ltYWdlcy9mb2xkZXIuZ2lmOz4+Oz47Oz47Pj47dDxw
PHA8bDxUZXh0Oz47bDwuLi5lXFx2XFx2aW1cXHZpbVxcdmltXFxzcmNcXFZpc1ZpbVxcOz4+Oz47
Oz47dDxwPGw8XyFJdGVtQ291bnQ7PjtsPGk8MTI+Oz4+Ozs+Oz4+Oz4+O3Q8cDxsPFZpc2libGU7
PjtsPG88Zj47Pj47Oz47Pj47Pj47Pj47bDxLb2Rldmlld2VyMTpEb3dubG9hZEJ1dHRvbjs+PkNA
J8asnjVYJzEP0MdCQwakAp4u"
> >
> --- <end quote> ---

Bob
Wed Jan 04 06:08:12 CST 2006

mayayana wrote:
>> It's not only encoded, it's also compressed to reduce the size of
>> the page sent to the browser.
>> --
> Interesting. You mean it's compressed *after*
> conversion? It seems odd that base64 would come
> into it at all in that case, since it adds 33% to the bulk.

Oops - I'm still a dotnet newbie, so I have to go back to the documentaion
to answer this. Let's see ...

"The __VIEWSTATE field, on the other hand, is encoded using a complex hash
scheme and is unreadable to humans. Only allowed applications will be able
to decrypt the __VIEWSTATE field and extract values from its contents."

hmm, I guess my memory is playing tricks on me. Nowhere does the .Net 1.1
documentation mention compressing the data. I think I remember seeing
something about viewstate compression in 2.0, but I don't have time to look
for it now. Maybe later.

Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

mayayana
Wed Jan 04 08:32:34 CST 2006

It looks like you were right about it being
altered beyond just Base64, though. The
Base64 decoding is readable, except for the
end marker, but it also appears that much of the
decoded text is symbolic.
For instance, "l<i<0>" seems to be a statement
that says 3 things in some kind of shorthand.

> >> It's not only encoded, it's also compressed to reduce the size of
> >> the page sent to the browser.
> >> --
> > Interesting. You mean it's compressed *after*
> > conversion? It seems odd that base64 would come
> > into it at all in that case, since it adds 33% to the bulk.
>
> Oops - I'm still a dotnet newbie, so I have to go back to the documentaion
> to answer this. Let's see ...
>
> "The __VIEWSTATE field, on the other hand, is encoded using a complex hash
> scheme and is unreadable to humans. Only allowed applications will be able
> to decrypt the __VIEWSTATE field and extract values from its contents."
>
> hmm, I guess my memory is playing tricks on me. Nowhere does the .Net 1.1
> documentation mention compressing the data. I think I remember seeing
> something about viewstate compression in 2.0, but I don't have time to
look
> for it now. Maybe later.
>
> Bob Barrows
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>