Morse Code Rickroll 0-day... no, seriously, I mean it

Morse Code Rickroll 0-day... no, seriously, I mean it

Summary: In the security research world, getting Rickrolled has become a global epidemic.  If you've been to any of the recent conferences, you're sure to have been Rickrolled at least once...

SHARE:
TOPICS: Security
18

Rick RolledIn the security research world, getting Rickrolled has become a global epidemic.  If you've been to any of the recent conferences, you're sure to have been Rickrolled at least once... if you were fortunate enough to be at ToorCon Seattle, then you got Rickrolled about 300 times by Dan Kaminsky.

This is a light hearted post, as I'm in a great mood after having just proposed to my long time girlfriend this weekend (she said yes, thank God!), and I just couldn't help but laugh about this one.

Marcin Wielgoszewski introduced me to Jeff Williams of Aspect Security (he also is heavy into OWASP contribution) who passed me an attack against a piece of code that de-morses morse code.  Basically, Jeff crafted a morse code version of a cross-site scripting attack that will redirect the victim to a wonderful Rickroll.  As the application de-morses the message, it of course get's rendered as HTML... geez.

Enjoy, but be nice:

http://www.qbit.it/lab/demorse.php?text=%3c...+-.-.+.-.+..+.--.+-%3e-..+---+-.-.+..-+--+.+-.+-+.-.-.-+.-..+---+-.-.+.-+-+..+---+-.+-...-+.-..-.+....+-+-+.--.+---...+-..-.+-..-.+-+..+-.+-.--+..-+.-.+.-..+.-.-.-+-.-.+---+--+-..-.+...--+-.-.+...--+...--+---..+-..+.-..-.%3c-..-.+...+-.-.+.-.+..+.--.+-%3e

In case you don't speak fluent morse, that basically translates into a redirect to a tinyurl site, which again redirects you to the youtube rickroll video. 

I'd be re-missed if I didn't lurch into my consultant talk here and talk about the necessity to do proper input validation and output sanitization... oh, and while I'm at it, don't home roll your own input/output validation techniques... there's tons of good APIs out there that you can either get, or are already built into the language you are using.  In fact, Jeff Williams has been involved in putting together a great one called the Enterprise Security API (ESAPI).  Everyone seems to understand that using home-grown encryption is bad, when is everyone going to realize that using home-grown validation is bad? 

To summarize:

Rolling your own encryption is to encraption as

Rolling your own input/output validation is to _______

Answer: getting Rickrolled.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • You wouldn't be "re-missed"

    You'd be remiss.

    http://dictionary.reference.com/browse/remiss



    Signed,
    Grammar Moses ;-)
    MGP2
    • Re: re-missed

      Maybe he meant that he'd been missed again? Or maybe it's the past tense of remiss?
      jimmy-42
    • +10 pts for being a douche!

      Come on grammar moses, I'm a security researcher that works part time as a blogger... I majored in computer science and mathematics and got a masters degree in CS. If you want to match intelligence, let's do it on something relevant to the blog's main drive, not on grammar slips that I'm guaranteed to make from time to time.

      -Nate
      nmcfeters
      • LOL!

        I see you typed THAT title out perfectly. ;)

        C'mon, you teach us some good security stuff, and we'll keep an eye on the stuff we know. It should be a win/win.

        And congrats on your engagement.
        ejhonda
    • "Garett Rogers: Microsoft withdrawals bid for Yahoo, Google wins"

      You better go talk to the editors of today's ZDNet Tech Update Today email, too... ;)
      ejhonda
  • Congrats!

    As Solomon wrote: He who findeth a wife findeth a good thing.

    Cheers!
    mtgarden
  • Congratulations Nate!

    nt
    D T Schmitz
  • RE: Congrats!

    Thanks guys, really appreciate it. I'm a very lucky man... she's gorgeous, and she's an electrical engineer. Plus, I get an awesome step-daughter out of the deal.

    -Nate
    nmcfeters
    • Great News for you

      I am glad to hear about others making progress on that front.
      nucrash
  • RE: Morse Code Rickroll 0-day... no, seriously, I mean it

    [humor]Sooo, how drunk was she when you proposed? :) [/humor]

    ]:)
    Linux User 147560
    • Haha

      Apparently drunk enough!
      nmcfeters
  • *sigh* Another one down...

    Have fun counting the days 'til you walk the plank...

    Seriously, congrats. Marriage is all kinds of fun.
    Real World
    • Haha

      Yeah, it's a good thing, she's a great girl.
      nmcfeters
      • Advice

        Two pieces of advice.

        1. never take relationship advice from your single friends.

        2. learn to say "my god hunny, you're absolutely right!", often and regularly.

        ;-)
        rtk
        • haha

          Great advice to live by!

          Thanks rtk!
          nmcfeters
  • RE: Morse Code Rickroll 0-day... no, seriously, I mean it

    Congrats on getting engaged. Thanks for the link on the Enterprise Security API. Best of luck. I'm taking the venture soon myself.
    neonoid16
    • Good luck to you too!

      Good luck to you too man... when it comes time for a proposal, make sure she's surprised... I think it's even more important than the moment being hugely romantic.

      -Nate
      nmcfeters
  • Congrats and small advise

    Congrats!

    I give engaged/newlyweds three pieces of advise:

    1. (if engaged): Go on a road trip together. You need to be in stressful situations to see if y'all deal with it or just fight. Marriage is stressful, and unexpectedly so (Things just happen, and women are *weird*, but men are strange, so it balances out.)

    2. Elope. Fly to Vegas, get married in the First Church of Elvis, then come home && throw a PARTY! (A sword arch is a *really* cool thing to do, hint, hint.)

    3. Do your bills together. That way, both see where the money goes. If something happens to the primary bill-payer, the other will know what to do.

    4. (any three needs a forth :^) after you travel, take her on a date, where *she* wants to go, && do what *she* wants to do. Same after she travels.

    enjoy ... bandit
    mr_bandit