- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Null Byte Injection is an exploitation technique used to bypass sanity checking filters in infrastructure by adding URL-encoded null byte characters (i.e., %00, or 0x00 in hex) to the user-supplied data. This injection process can alter the intended logic of the application and allow an attacker to get unauthorized access to system files.
Most web applications today are developed using higher-level languages such as PHP, ASP, Perl, and Java. However, these web applications at some point require processing of high-level code at the system level and this process is usually accomplished using C/C++ functions. The diverse nature of these dependent technologies has resulted in the Null Byte Injection (aka Null Byte Poisoning) attack.
All languages of the web are exploitable with this if your code isn't sanitizing input -OR- parsing files properly. Null bytes are put in place to terminate strings or be a place holder in code, and injecting these into URLs can cause web applications to not know when to terminate strings and manipulate the applications for purposes such as LFI/RFI (Local and Remote File Inclusion).
The following example shows the use of this technique to modify a URL and access arbitrary files on a filesystem due a PHP script vulnerability.
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
By manipulating the URL using postfix NULL bytes, one can access the UNIX password file: