Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing "Null Byte Attacks" | Java

Tags:

java

security

My initial understanding on this topic is that I need to prevent some junk characters available in request to avoid these attacks.

I have decided to solve this by Pattern matching for every request parameter before using it. Most of the posts available on internet talks about Null Byte and the example given shows how file IOs are the main victims of this attack. So following are my questions

  1. Is File IOs are the only thing that null byte can affect or other operations are also victims of this attack?
  2. What are the char/strings/patterns I need to take care if I want to filter my request parameter to be safe for null bye attacks? I have a list and I am sure it is not complete one. %00, \0, 0x00 in hex

The articles that I am referring to are:

http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection

http://www.perlmonks.org/index.pl?node_id=38548

http://hakipedia.com/index.php/Poison_Null_Byte

Thanks in advance

So to make it more clear:

First post points out the vulnerability in java that I am talking about. String serverlogs.txt%00.db is allowed in java but when it comes to C/C++ this is serverlogs.txt as in C %00 would be replace by null byte causing the string to terminate after serverlogs.txt. So we should avoid such characters. This is what I am trying to figure out which such characters I should not allow.

String fn = request.getParameter("fn");
if (fn.endsWith(".db"))
{
File f = new File(fn);
//read the contents of “f” file
…
}
like image 616
Rupesh Avatar asked Feb 20 '26 14:02

Rupesh

1 Answers

Have you tried it? I wrote this quick unit test:

@Test
public void test() throws Exception {
    FileOutputStream out = new FileOutputStream("test.txt");
    out.write("hello!".getBytes("utf-8"));
    out.close();
    String badPath = "test.txt\0foo";
    File file = new File(badPath);
    FileInputStream in = new FileInputStream(file);
    System.out.println(StreamUtils.copyToString(in, Charset.forName("utf-8")));
}

Now, if the null character broke the string, I would expect to have the contents of my file printed to the console. Instead, I get a FileNotFoundException. For the record, this was using Java 1.7.0_40 on Ubuntu 13.04.

Update

Further investigation reveals this code in File#isInvalid:

final boolean isInvalid() {
    if (status == null) {
        status = (this.path.indexOf('\u0000') < 0) ? PathStatus.CHECKED
                                                   : PathStatus.INVALID;
    }
    return status == PathStatus.INVALID;
}
like image 183
Aurand Avatar answered Feb 22 '26 04:02

Aurand
Sign in to Comment

Related questions

Regex validate either empty or only letters
Why have a return keyword if you're not returning a value?
empty array position getting months
HashSet internally uses hashmap for its implementation, then why is hashmap faster than hashset?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!