A null byte refers to the character with the value 0x00 in hexadecimal (or %00 in URL encoding). It is used in many programming languages, especially C and C-derived languages, to indicate the end of a string. This means that when a null byte is encountered, the program treats it as the end of the input, ignoring any characters that follow.
Null byte injection is an exploitation technique where an attacker inserts a null byte into user-supplied data, often to bypass input validation or filtering mechanisms. This works because some programming languages or system functions (like those in C/C++) stop processing input at the null byte, while others (like PHP, Java, or Perl) may not treat it as special and continue processing the entire string.
Attackers can use null byte injection to:
- Bypass file extension checks: For example, if an application appends “.php” to a filename, supplying “malicious.txt%00” can trick the system into only considering “malicious.txt” if the underlying code stops at the null byte.
- Access restricted files: By injecting a null byte, attackers can manipulate file paths to access sensitive files like
/etc/passwdon Unix systems. - Circumvent input validation: Filters that don’t account for null bytes may allow otherwise forbidden input through, enabling further attacks such as directory traversal or code execution.
Example scenario:
If a PHP application includes a file based on user input and appends “.php” to the filename, an attacker could exploit this with:
http://example.com/page.php?file=../../../../etc/passwd%00The underlying C function might interpret it as/etc/passwd, ignoring the appended ".php" due to the null byte, and include the sensitive file.