Application Security Terminology

Glossary

Null Byte Injection

Null Byte Injection is an exploitation technique used to bypass sanity checking filters in infrastructure by adding URL-encoded null byte characters (i.e., %00, or 0x00 in hex) to the user-supplied data. This injection process can alter the intended logic of the application and allow an attacker to get unauthorized access to system files. 

Most web applications today are developed using higher-level languages such as PHP, ASP, Perl, and Java. However, these web applications at some point require processing of high-level code at the system level and this process is usually accomplished using C/C++ functions. The diverse nature of these dependent technologies has resulted in the Null Byte Injection (aka Null Byte Poisoning) attack.