How to decode a file from base64 encoding with JavaScript
Andrew Henderson 
My company has a very strict intranet for work related, the net has a single doorway to allow files in and out. The doorway's security does not allow special kinds of files (*.txt, *.doc etc only), and even in those specific kinds of files, it searches for patterns that approve that the file is really that kind. (You can't simply disguise a *.zip file as a *.doc file.)
As a security project, I was told to find a way to bypass this system, and insert a single C language .exe file that says 'Hello World'.
What I thought was to change the extension to .txt, and base64 encode it so that it would be more acceptable for the system. The problem is, how to decode it once it's in. It's very easy on the outside, PHP or any other decent language can do it for me. However, in there, the only real language I have access to is JavaScript (on IE6 and maybe, MAYBE, on IE8).
So the question is as follows, can I use JavaScript to read a file from the file system, decode it, and write it back? or at least display the result for me?
Note that I don't ask for decoding/encoding a message, this one is easy, I look to decode encode a file.
Thanks.
45 Answers
JSON might be the answer you are looking for. It can actually do the trick.
Encode your txt file in JSON format. It is very likely for it to pass your company's doorway security
var myJsonData = { "text" : "SGVsbG8sIHdvcmxkIQ==" }; // <-- base64 for "Hello, world!"Import your txt file using plain html script syntax
<script src="hello.txt" type="text/javascript"> </script>That's it! Now you can access a JSON object using the Syntax:
alert(myJsonData.text);To complete your job, get this simple Javascript base64 decoder.
You're done. Here's the (very simple) code I've used:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1250"> <meta name="generator" content="PSPad editor, "> <title></title> <script src="base64utils.js" type="text/javascript"> </script> <script src="hello.txt" type="text/javascript"> </script> <script type="text/javascript"> function helloFunction() { document.getElementById("hello").innerHTML = decode64(myJsonData.text); } </script> </head> <body onload="helloFunction();"> <p></p> </body> </html>
Using only javascript (i.e. no plugins like AIR etc), browsers don't allow access to the file system. Not only is it not possible to write a file to the disk, it's not possible to even read it - browsers are very strict on that sort of thing, thank goodness.
6You cannot do this with straight JS in the browser, security context and the DOM do not allow filesystem access.
You cannot do this with current versions of flash, older versions (pre 7 IIRC) had some security flaws that allowed filesystem access.
You could do this with a custom plugin, and possibly a signed Java applet, or COM (ActiveX component, IE only).
I would suggest working with IT regarding your intranet to open up the context/permissions needed in this case as that may be the shortest path to what you are wanting here. Alternative, you could create a command-line utility to easily encrypt/decrypt given files signed by a common key.
1It all depends on how you can get the file in. If you have the base-64 encoded exe as a .txt, you could easily use Flash! I'm not quite sure how you would implement this, but you can load a file into flash and as3 using flex.
<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="" layout="absolute"> <mx:Script> <![CDATA[ import flash.net.FileReference; import flash.net.FileFilter; import flash.events.IOErrorEvent; import flash.events.Event; import flash.utils.ByteArray; //FileReference Class well will use to load data private var fr:FileReference; //File types which we want the user to open private static const FILE_TYPES:Array = [new FileFilter("Text File", "*.txt;*.text")]; //called when the user clicks the load file button private function onLoadFileClick():void { //create the FileReference instance fr = new FileReference(); //listen for when they select a file fr.addEventListener(Event.SELECT, onFileSelect); //listen for when then cancel out of the browse dialog fr.addEventListener(Event.CANCEL,onCancel); //open a native browse dialog that filters for text files fr.browse(FILE_TYPES); } /************ Browse Event Handlers **************/ //called when the user selects a file from the browse dialog private function onFileSelect(e:Event):void { //listen for when the file has loaded fr.addEventListener(Event.COMPLETE, onLoadComplete); //listen for any errors reading the file fr.addEventListener(IOErrorEvent.IO_ERROR, onLoadError); //load the content of the file fr.load(); } //called when the user cancels out of the browser dialog private function onCancel(e:Event):void { trace("File Browse Canceled"); fr = null; } /************ Select Event Handlers **************/ //called when the file has completed loading private function onLoadComplete(e:Event):void { //get the data from the file as a ByteArray var data:ByteArray = fr.data; //read the bytes of the file as a string and put it in the //textarea outputField.text = data.readUTFBytes(data.bytesAvailable); //clean up the FileReference instance fr = null; } //called if an error occurs while loading the file contents private function onLoadError(e:IOErrorEvent):void { trace("Error loading file : " + e.text); } ]]> </mx:Script> <mx:Button label="Load Text File" right="10" bottom="10" click="onLoadFileClick()"/> <mx:TextArea right="10" left="10" top="10" bottom="40"/>
</mx:Application>To decode it, look into
If the security system scans for patterns in files, it is very unlikely that it will overlook a base64-encoded file or base64-encoded contents in files. E-mail attachments are base64-encoded, and if the system is any good it will scan for potentially harmful e-mail attachments even if they are named .txt. The base64-encoded start of an EXE file is almost certainly recognized by it. So ISTM you are asking the wrong question.
1
