2013-10-09 by Daniel B. Cid
A common keyword that people use to find hidden injections on web sites is "base64_decode". You
often see injections that look like "eval ( base64_decode" or eval ( gzinflate ( base64_decode" being
used by the attackers.
So most web security tools have some signatures to look for it (specially on WordPress).
Well, the attackers do know about it as well and we are starting to see some interesting variations for it. For
example, instead of injecting base64_decode, they are injecting as a variable:
And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows
then to bypass many security filters.