Null byte injection exploits the difference in how programming languages and underlying system functions handle the null character (\x00 or %00). In C-based languages and system calls, the null byte marks the end of a string. Higher-level languages like PHP, Python, and Java historically treated strings differently, allowing null bytes within string values. This mismatch enables attackers to truncate strings at the system level while bypassing application-level validation.
How It Works
The most common application of null byte injection is bypassing file extension validation. Consider an application that restricts file access to .php files by checking that the requested filename ends with .php. An attacker requests ../../etc/passwd%00.php. The application's string handling sees the filename ending in .php and allows the request. When the filename is passed to the underlying system call to open the file, the null byte terminates the string at ../../etc/passwd, and the system reads the password file instead.
File upload validation is another common target. If an application checks that an uploaded file has a .jpg extension, an attacker might upload shell.php%00.jpg. The application validates the .jpg extension, but the file system stores the file as shell.php because the null byte truncates the name. The attacker then requests the file and achieves code execution.
Null byte injection also affects LDAP queries, log files, and any context where application-layer string processing and system-layer string processing use different conventions for string termination.
Current Status
Modern language runtimes have largely mitigated null byte injection. PHP versions 5.3.4 and later reject null bytes in file system functions. Java's File class throws exceptions when paths contain null bytes. However, applications that interface with legacy systems, use native extensions, or process binary data may still be vulnerable. The technique remains relevant in security assessments of older codebases and systems.
Why It Matters
Null byte injection demonstrates how subtle differences in string handling between layers create exploitable gaps. It is a foundational technique in path traversal and filter bypass attacks, and understanding it is essential for testing applications that interact with file systems and external services.
Need your application tested? Get in touch.