Name: Poison Null Byte
Description: Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.
Difficulty: 4 star
Category: Improper Input Validation
Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html
Name: Easter Egg, Forgotten Developer Backup, Forgotten Sales Backup, and Misplaced Signature File
The Poison Null Byte challenge is one of my favorites, because it’s such a simple trick that opens up so many seemingly closed doors on the FTP page. First, we need to know what the restrictions are on what we can and can’t download.
OK, so only .md and .pdf files can be downloaded. Fair enough. But by using a URL encoded null byte (%2500), it’s possible to bypass this restriction. Basically what we’re doing here is saying “I want file X.gg”, and letting the null byte do two things. First, it allows you to add new file extensions to GET requests to bypass the filetype restriction. Second, it serves as a break between the intended filename and any added file extension so that the correct file is downloaded.
The key is to put that URL encoded null byte at the end of the file extension, then add “.md” after it. Then, download all of the things! Seriously, download everything but the quarantined malware. The rest of the images in this post will be which files lead to challenge solutions.
Prevention and Mitigation Strategies:
Nothing. I’ve always liked the poison null byte, ever since I looked up why the YouTube channel Null Byte (where I spent/spend a lot of time) chose its name.