Forums
Main Category
General (Technical,...
Decoding OWA URL�...
 
Notifications
Clear all

Decoding OWA URL's

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Chitapett 11 years ago
5 Posts
3 Users
0 Reactions
1,490 Views
RSS
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 16/12/2014 6:29 am  

I'm working on a case where an OWA URL appears to be responsible for downloading a file of interest onto the subject computer. Many people have access to the computer so the User Profile name cannot be used. In testing, I've noticed some similarities to the OWA attachment url's and was hoping the URL can be easily decoded. So far my research has turned up very little. I'm trying to determine whether the OWA attachment URL can be decoded to determine which email account it came from. I've provided an OWA attachment URL example below for discussion.

(h)ttps//mail.DOMAIN.com/owa/attachment.ashx?attach=1&id=RgAAAADznw6Ms%2bgmTrt2mwwDkr3nBwB3YijXkAfMSaJB%2fd%2f3H2K7AAAANe9qAAB3YijXkAfMSaJB%2fd%2f3H2K7AAAiNOhPAAAJ&attid0=BAAAAAAA&attcnt=1

PART1 - (h)ttps//mail.DOMAIN.com/owa/attachment.ashx?attach=1&id=RgAAAA
PART2 - Dznw6Ms%2bgmTrt2mwwDkr3nBwB3YijXkAfMSaJB%2fd%2f3H2K7AAAANe9qAAB3YijXkAfMSaJB%2fd%2f3H2K7AAAiNOhPAAAJ&attid0=
PART3 - BAAAAAAA&attcnt=1

Observation #01 Part 1 is the same for ALL URL's that I've looked at to attachments in an OWA email environments (with the exception of the domain name of course).
Observation #02 Part 2 is the same string for ALL URL's to attachments in my test email account.
Observation #03 Part 3 is different

Any feedback or sources that may lead to decoding / demystifying the OWA URL structure would be greatly appreciated.


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
16/12/2014 7:00 pm  

Observation #03 Part 3 is different

Strange.

That part 3 seem like an "attachment id", and "&attid0=BAAAAAAA" seems like "common"
http//code.google.com/p/chromium/issues/detail?id=41308

Whoooosh (that was the sound of the following info - that may possibly be useful - passing over my head 😯 oops )
http//www.infinitec.de/post/2007/07/26/Exchange-2007-Attachment-identifiers-demystified.aspx
but it seems like that was related to a previous format, that has changed with later releases of OWA.

My guess is that "&attid0=BAAAAAAA" is only the "type" of attachment
https://social.msdn.microsoft.com/Forums/exchange/en-US/167e40a1-f091-4bc1-88ab-7132e612aee2/how-to-get-attachment-with-owaids?forum=exchangesvrdevelopment

jaclaz


   
ReplyQuote
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 17/12/2014 12:00 pm  

Thanks for the resources. I'll have to read through them when I get a chance.

I read the infinitech post and despite the fact that it's for Exchange 2007 it went over my head just the same.

Thanks again for the leads.


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
18/12/2014 5:22 am  

PART2 - Dznw6Ms%2b
gmTrt2mwwDkr3nBwB3YijXkAfMSaJB%2f
d%2f
3H2K7AAAANe9qAAB3YijXkAfMSaJB%2f
d%2f
3H2K7AAAiNOhPAAAJ
&attid0=

Probably just HTTP + Base64 characters. Replace all %xx with actual character, then base64 decode. Give it a try.


   
ReplyQuote
 Chitapett
(@chitapett)
Estimable Member
Joined: 18 years ago
Posts: 76
Topic starter 18/12/2014 5:59 am  

Did what you suggested. Took the Part2 string and replaced all the %xx values with their char string. Tried this with and without the 'attid0=' but no luck. Maybe I'm doing it wrong?

Dznw6Ms+gmTrt2mwwDkr3nBwB3YijXkAfMSaJB/d/3H2K7AAAANe9qAAB3YijXkAfMSaJB/d/3H2K7AAAiNOhPAAAJ&attid0=


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: