Web Applications terminate strings on null-byte

Question

I have just been doing some penetration testing on a site, and I have noticed (and I have noticed before but now seems like a good point to bring it up) that putting a null byte in the search string actually terminates the string there.

That is fine for the lower level languages like C, I know how that works, but why does this apply to the web applications, I have seen this happen in both PHP and ASPX pages.

Is this a vulnerability, an intended feature of the language or just a bug with the languages?

score 10 · Accepted Answer · answered Sep 23 '13 at 17:46

Actually PHP strings can contain null bytes; so can a .NET string (hence ASP.NET). At the PHP level, this byte is nothing special; the character U+0000 is just another Unicode code point. Trouble begins when the string is passed to another system, for which the null byte is a string terminator. In particular for file accesses: if the PHP code tries to open the file foo.txt\0.php (where \0 stands for a null byte), then the OS will only see a request for foo.txt, ignoring the rest of the string.

This is documented. In other languages as well.

In your case, one must assume that the bytes received as a "search string" are sent unmodified to an underlying search system for which the null byte has the special meaning of terminating the string. Though this is not a vulnerability in its own right, it is indicative of the Web site not filtering input characters, and that can lead to trouble.

Thanks! Great answer, so if they aren't filtering null-bytes, what else might they not be filtering I guess is the next game. Thanks! — DarkMantis, Sep 23 '13 at 19:06
[*that* can lead to trouble](http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html) ... yes yes :) — that guy from over there, Sep 23 '13 at 21:32

Web Applications terminate strings on null-byte

1 Answers1