domingo, 31 de mayo de 2009

QR Codes Security: Cross-site Scripting

This is my new T-shirt. In this post I will explain what are QR Codes, why this technology is making some noise now and a couple examples of security issues raised by this useful technology.

Quick Response Codes (QR Codes) are two-dimensional barcodes that have been developed by a japanese corporation called Denso in 1994, a subsidiary of Toyota. In Japan, every cellular uses this codes for many services. Now there is sudden explotion of web sites providing services related to QR Codes, for example BeeTagg, with the idea of all things being tagged and tracked from the Internet.

These codes have the following abilities.

- Can be quickly processed for tagging industrial parts, car industry born.
- Axis information to correct photo orientation.
- Redundant information and Solomon-Reed error correcting codes.
- According to some sources, redundant information can be used for artistical goals (?). No interesting example besides this one, poem Walrus and the Carpenter.
- Maximum content size, 2,953 bytes.

For my experiments I used the online Google Chart API barcode generator. Also the open source Zebra Crossing Project provides and interface to this generator. They are developing a QR Code scanner for various mobile devices. Check the following example.

To decode this barcodes you can use some software from you cellphone, your desktop or any online decoder like the one provided kindly by here.

Attack Vector 1: Embedded URLs with Non-Persistent XSS

Because this barcodes many times contains URL that redirect mobile phones to webpages, URLs possibly containing JavaScript code reflected back a-là non-persistent cross-site scripting (XSS) can be found. An example extracted from OWASP follows.


Malicious JavaScript can be used to do any web operation within the victimized domain and also to send stolen information to other malicious domains.

Attack Vector 2: JavaScript code directly included inside the barcode

If you observe the online web decoder you will notice that HTML sensitive characters are not escaped, so you can insert JavaScript code inside the encoded text. The following barcode shows a popup and redirects the browser to another web page when it is decoded using's service.

The decoded text follows.

location.href = location.href.replace(/^http:\/\/\/QRCode\/QRDB_Java.php/,'');

Notice that's site is not always working because is not an industrial-sized project. These ideas were partly inspired by SQL injections on RFID chips described on paper Is Your Cat Infected with a Computer Virus?.

Final Remarks

We conclude that browser executable code can be included inside QR Codes directly or within URLs. Although the examples I present are not very dangerous is possible that more critical examples will appear in the future if QR Codes become more and more used in daily life.

Check below the remarkable video from the Pet Shop Boys's song Integral.