CXML/VXML Auditing for IVR Pentesters and PCI/DSS Consultants

Hacker in the Box (HITB) - Amsterdam • Okura Hotel, Ferdinand Bolstraat 333, 1072 LH Amsterdam, Netherlands


Rahul Sasi

Founder and CTO at CloudSEK

Send message

Presentation downloadables


Uploaded externally - View here

Talk summary

CXML and VXML languages are used to power IVR applications. IVR systems are often seen in Phone Banking , Call Center applications, and other auto attendent systems. These devices are connected to internal networks and data bases. The input to these devices are via DTMF and Voice inputs, and all the processed data are read out by the system. So any sort of errors triggered by an attacker internally would be read out by these machines and there are a lot of possible attacks on these systems leading to Internal Network security compromise. The easiest way to find these bugs are by doing a source code audit on these applications. This talk will demonstrate buggy CXML and VXML programs and security issues.

IVR (Interactive Voice Response) System:

IVR systems allow a computer to interact with a human via voice and DTMF keypad Inputs. IVR allows a customer to interact with a company database via keypad or by speech recognition. The procedure is simple, the customer dials in a number via his phone, and he gets connected to the IVR system which is running on the company server. Based on the customers input via keypad (DTMF) and Voice response the IVR system performs the operations. IVR systems are capable from querying the InternalData base to Performing OS related task and many other based on the implementations.

Hacking IVR Systems

These systems are considered secured because they are not connected to Internet and as they use a Peer to Peer GSM, CDMA, Wired Telephone line for transactions.

Input Validation Attacks

Input validation attacks would be the one class of Remote attacks we would be demonstrating on these systems, but the issue is that since DTMF keypad tones are the input source to these device and that DTMF signals could only carry 0-9, A-D and +#* characters many input validation attacks would flop.

Logical Flows in Implementations

Many systems we came across depend on spoof-able sources like caller ID and didn’t have protection against automated attacks.

About this talk




On October 22nd, 2012


Hacker in the Box (HITB) - Amsterdam (go to website)


Okura Hotel, Ferdinand Bolstraat 333, 1072 LH Amsterdam, Netherlands

Audience size

In front of 250 people