XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
I was listening to an episode of Pauldotcom, and Mick mentioned something about attacks on systems via barcode. Because of the nature of barcodes, developers may not be expecting attacks from that vector and thus donít sanitize their inputs properly. I had previously written "XSS, Command and SQL Injection vectors: Beyond the Form" so this was right up my alley. I constructed this page that lets you make barcodes in Code 93, Code 39, Code 39ext and Code 128A, B and C. I got the PHP libraries from these folks, which seem to be free for non profit use. If you don't give input to the form, the page just shows barcodes that can be useful for sort of "fuzzing" a system to see if the input is properly sanitized. If you have problems getting them to scan, adjust the bar size. The default tests are as follows:
Please only use on your own barcode reading system. By the way, please just ignore Clippy if you see him, he has to do with my IDS testing from before.
If you want to make your own custom barcodes type in your string in the text area below, choose your options, and hit submit.
If you just want to recode my bar codes leave the text area blank, choose your options, and hit submit.
You can also type the decimal equivalent ASCII values as comma separated string, and it will ignore what is in the textarea.
Code 39 (always URL encoded, or double encoded, otherwise it can't make the characters)
Code 39 Extended
QR-Code 2d Barcodes provided by Kaywa
I got some help from these sites:
Also, check out FX's video:
15 most recent posts on Irongeek.com:
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast