Title: Poison Null Byte
Category: Improper Input Validation
Difficulty: ⭐⭐⭐⭐ (4/6)
The Poison Null Byte challenge involves exploiting a classic web vulnerability where a null byte (\0 or %00 in URL encoding) is used to bypass security controls that improperly handle input validation. This challenge tests the participant's understanding of low-level programming bugs and how they can impact web applications.
- Web browser with the capability to modify URLs
- Burp Suite to intercept requests
The poison null byte attack exploits a vulnerability where the application’s input validation or file handling interprets a null byte as a string terminator. In many programming environments, particularly those derived from C, the null byte marks the end of a string. This can be abused to truncate strings in file paths or scripts, allowing an attacker to access files or execute code that should be restricted.
-
Identify the Vulnerable Service: Recognize a file serving function on the application server that might not correctly handle URLs containing encoded null bytes. This happened in previous challenges where we had download file from ftp at the url : 127.0.0.1:3000/ftp
-
Construct the Attack Vector: Formulate a URL that requests a sensitive file, append a null byte character followed by unauthorized extensions or paths that the server might otherwise restrict.
-
Execute the Attack:
- Use a browser or tool like Burp Suite to send the request to the server.
- Encode the null byte in the URL using
%00. - Example: To access
coupons_2013.md.bakwhich is restricted, the URL could be structured ashttp://127.0.0.1:3000/ftp/coupons_2013.md.bak%00.txt.
-
Observe the Outcome: If the server is vulnerable, it processes the request up to the null byte, ignoring anything after it. The server then serves the
coupons_2013.md.bakfile instead ofcoupons_2013.md.bak.md, which might be allowed.
In this challenge, using the poison null byte allowed bypassing the server's security mechanism designed to restrict access to certain file types or directories. By injecting a %00, the path is effectively truncated at the point of injection, potentially bypassing checks on file extensions or paths.
To prevent poison null byte attacks, consider the following recommendations:
- Properly Handle Strings and Inputs: Ensure all parts of the web application, especially those in languages like PHP or server configurations that interact with the underlying file system, handle null bytes appropriately.
- Sanitize and Validate Inputs: All inputs should be sanitized and validated to reject any null bytes before processing. Functions that strip out or handle null bytes should be applied to inputs that will interact with the file system.