Skip to content

Base64 Encoded user/pass not working with auth

edited May 2020 in SecuritySpy
I must be doing something wrong, but I can't figure out why it's not working. Issuing commands via curl with the user/pass before the IP works ok, but if I convert the credentials to base64 and use auth, it gives an unauthorised error. The test user/pass has full admin rights.

$ /usr/bin/curl 'http://test:t3st1nG@192.168.1.10:8000/++setSchedule?cameraNum=5&mode=M&id=0'
OK

$ echo 'test:t3st1nG' | base64
dGVzdDp0M3N0MW5HCg==

$ echo 'dGVzdDp0M3N0MW5HCg==' | base64 --decode
test:t3st1nG

$ /usr/bin/curl 'http://192.168.1.10:8000/++setSchedule?cameraNum=5&mode=M&id=1&auth=dGVzdDp0M3N0MW5HCg=='
401 Unauthorized

I've tested this on the latest b17 version of SecuritySpy.

Thanks,
Paul.

Comments

  • Hi Paul,

    There is a flaw in that method you are using to generate the Base64 value, which is that it includes the return character after the string you are trying to encode. So the password comes out with a return character at the end of it, which causes it to fail.

    Instead, use this free online Base64 encoder. You will see that the string "test:t3st1nG" actually encodes to "dGVzdDp0M3N0MW5H".
  • edited May 2020
    ahhhh, thank you, I knew it was me. :)

    I was trying to avoid submitting my credentials to an unknown online service, but having just looked at the site's privacy policy, I feel more confident using it.

    "All communications with our servers are made through secure SSL encrypted connections (https). Uploaded files are deleted from our servers immediately after being processed, and the resulting downloadable file is deleted right after the first download attempt, or 15 minutes of inactivity. We do not keep or inspect the contents of the entered data or uploaded files in any way. Read our privacy policy below for more details."
  • Just in case anyone else finds this useful, I found an alternative method to encode the credentials:

    openssl base64 [press enter]
    test:t3st1nG [press ctrl+d three times]

    This results in the following:

    $ openssl base64
    test:t3st1nGdGVzdDp0M3N0MW5H

    Just separate the base64 text from the line above.
    dGVzdDp0M3N0MW5H
  • BenBen
    edited May 2020
    I understand the reluctance to send sensitive information like passwords to these kinds of web services (even though this particular one does seem to take privacy seriously) - thanks for posting an alternative local solution. There are also a few apps on the macOS App Store that do Base64 encoding, so this could be another option.
  • Another method to generate a base64 user:password locally

    echo -n 'test:t3st1nG' | base64

    The -n flag insures no hidden characters are added

    returns "dGVzdDp0M3N0MW5H"

    Above works for me using zsh shell.

  • @knowz - this is great, thanks for posting!

  • Follow Up - All of this is relatively very new to me. Terminal, shell bash scripting. So take with a grain of salt.

    echo -n 'test:t3st1nG' | base64 returns "dGVzdDp0M3N0MW5H"

    In addition to the above (using the "-n" flag to not print the trailing newline character)

    echo man also suggests these options to eliminate the newline character in the result

    echo 'test:t3st1nG\c' | base64  < note the ( \c ) added to your ( user:password ) string

    printf 'test:t3st1nG' | base64  < encouraged as it is apparently the most portable

    each of the 2 commands above also return "dGVzdDp0M3N0MW5H" respectively

    see man echo and man printf combined with some web browsing for more info

Sign In or Register to comment.