Cross-Site-Scripting with Morse code

May 5, 2008 – 7:58 AM

Nowadays, who understands Di-Di-Di-Da-Da-Da-Di-Di-Dit (S.O.S., Save Our Souls)? Few people do, but your web browser just might. In his blog, security expert Nathan McFeters has reported the discovery of a cross-site scripting (XSS) vulnerability on an Italian website that allows attackers to inject malicious JavaScript encoded in Morse code in your address bar.

The website in question takes user input as Morse code and translates it into plain text using PHP script. Unfortunately, the programmers forgot to check the script’s input and output, allowing JavaScript to be included and executed on the website that displays the results of the translated Morse code.

This vulnerability demonstrates that developers of apparently harmless Web applications, that were never intended to be used as serious tools, have to be just as careful as programmers of local applications when it comes to checks of user input. In this case, simply checking the input with the PHP function html-entities() would have converted the output of the script into harmless encoded HTML. For further tips on how to secure your own web applications, see heise Security’s background article entitled Server peace – Individual security measures for PHP applications.

Read the rest of the story…

You must be logged in to post a comment.