INSIGHTS | May 24, 2012

QR Fuzzing Fun

QR codes [1] have become quite popular due to their fast readability and large storage capacity to send information. It is very easy to find QR codes anywhere these days with encoded information such as a URL, phone number, vCard information, etc. There exist tons of apps on smartphones that are able to read / scan QR codes.

The table below shows some of the most common apps and libraries for the major mobile platforms – keep in mind that there are many more apps than listed here.
Popular QR Apps / Libraries
·       Google Goggles
·       ZXing
·       QRDroid
·       Zxing
·       Zbar
·       App World
Windows Phone
·       Bing Search App
·       ZXlib

QR codes are very interesting for attackers as they can store large quantity of information, from under 1000 up to 7000 characters, perfect for a malicious payload, and QR codes can be encrypted and used for security purposes. There are malicious QR codes that abuse permissive apps permissions to compromise system and user data. This attack is known as “attagging”. Also QR codes can be used as an attack vector for DoS, SQL Injection, Cross-Site Scripting (XSS) and information stealing attacks among others.
I have been pentesting Apps that supported QR codes lately, so I thought will be a good idea to fuzz this feature looking for bugs. I developed a tool for QR fuzzing called IOAQRF (beta phase) that is quite easy to use and modify as well in case you need to add something else.

This tool is composed of two files: a Python file that generates QR fuzz patterns and a shell script that can be used to generate common QR code content that apps use, such as phone numbers, SMS, and URLs. Previous work has been done on this field [2] [3] but more can be researched for sure! Enjoy the fuzzing!
IOAQRF directory output
Opening index.html with fuzz QR codes