Poison Null Byte

Item	Detail
Category	Improper Input Validation → File Access Bypass
Difficulty	Hard (4-Star)
Juice Shop Flag	`score-board#Poison Null Byte`
Tools Used	Browser (Address Bar / DevTools)
Status	Solved
Video Demo	Click Here

1. Vulnerability Overview

The application exposes a public directory:

/ftp

Users can download files from this directory, but access is restricted to certain file types (e.g., .md, .pdf).

When trying to access a blocked file like:

/ftp/package.json.bak

the server returns 403 Forbidden.

The vulnerability exists because the application performs incorrect input validation on file names.

By injecting a Null Byte (%00), an attacker can bypass the file extension check and access restricted files.

2. How the Attack Works

The server checks if a file ends with an allowed extension (e.g., .md).

However:

The validation reads the full string
The filesystem stops reading at the NULL byte

Example:

package.json.bak%00.md

Validation sees → .md → allowed
Filesystem reads → package.json.bak

👉 Result: restricted file is returned

3. Step-by-Step Exploitation

1. Discover the FTP directory

Open:

http://localhost:3000/ftp

You will see files like:

legal.md
acquisitions.md
package.json.bak

2. Test restricted file

Try:

http://localhost:3000/ftp/package.json.bak

👉 Result: 403 Forbidden

3. Craft the payload

Use a Null Byte injection with double encoding:

%2500

Final payload:

http://localhost:3000/ftp/package.json.bak%2500.md

4. Execute the attack

Enter the URL in the browser
Press Enter

👉 The file downloads successfully

5. Result

The restricted file is accessed
Validation is bypassed
Challenge is solved

4. Why This Works

The vulnerability is caused by a mismatch between:

input validation
file system processing

Key issues:

File extension check is performed before decoding is complete
NULL byte (%00) terminates the string at filesystem level
Double encoding (%2500) bypasses the validation step

5. Security Impact

Access to sensitive files
Exposure of configuration and source code
Information disclosure for further attacks

6. Mitigation

Reject NULL bytes explicitly (%00)
Validate file paths strictly (not just extensions)
Use safe file handling functions
Avoid exposing internal directories

7. Key Takeaways

Input validation must be strict and complete
File extension checks alone are not secure
Encoding tricks can bypass filters
Improper validation can lead to sensitive data exposure

1. Vulnerability Overview​

2. How the Attack Works​

3. Step-by-Step Exploitation​

1. Discover the FTP directory​

2. Test restricted file​

3. Craft the payload​

4. Execute the attack​

5. Result​

4. Why This Works​

5. Security Impact​

6. Mitigation​

7. Key Takeaways​