Note on Base64 Encoding

Some APIs will base64-encode authentication payloads sent in an API request. There are many reasons to do this, but it’s important to know that security is not one of them. You can easily bypass this minor inconvenience. If you test an authentication attempt and notice that an API is encoding to base64, it is likely making a comparison to base64-encoded credentials on the backend. This means you should adjust your fuzzing attacks to include base64 payloads using Burp Suite Intruder, which can both encode and decode base64 values.

You can decode them by highlighting the payload, right-clicking, and selecting Base64-decode (or the shortcut CTRL-SHIFT-B). This will reveal the payload so that you can see how it is formatted.

To perform, say, a password-spraying attack using base64 encoding, begin by selecting the attack positions. In this case, we’ll select the base64- encoded password from the request. Next, add the payload set; we’ll use the passwords listed in the previous section. Now, in order to encode each password before it is sent in a request, we must use a payload-processing rule. Under the Payloads tab is an option to add such a rule. Select Add>Encoded>Base64-encode and then click OK.

Your payload-processing window should look like this.

Once your payload processing rule is in place, you can perform an attack as normal. When you are reviewing anomalous results, you can simply use CTRL+Shift+B or use the convert selection option by highlighting and right-clicking the payload.