Null byte Injection
588 views
Skip to first unread message
Nirmal Kumar
Sep 8, 2017, 4:49:48 AM9/8/17
to OWASP ZAP User Group
Hi to all (specially Simon Sir),
Could ZAP able to find "NULL byte Injection" in Active Scan?
Just forget about path traversal & path traversal+LDAP.
For Example:
in PHP:
Code Snippet:
$file = $_GET['file'];
require_once("/var/www/images/$file.dat");Exploitation:
Normal Mode: http://www.example.host/user.php?file=myprofile.dat Attacking Mode: http://www.example.host/user.php?file=../../../etc/passwd%00What I'm trying to get only NULL byte injection. Again forget about path traversal & pt+LDAP.just focus about "null byte injection.Can anyone give me the guideline that how ZAP will find the "null byte injection" because in my webapp it didn't catch.Above PHP code is in my webapp.Thanks in Advance.
guth....@gmail.com
Sep 8, 2017, 2:00:15 PM9/8/17
to OWASP ZAP User Group
What does the reply on the null byte injection look like?
Surely ZAP can perform null byte injection, but often that's not an issue. If you application crashes, shows an error message, or does something else out-of the ordinary, then what would that look like? There are a lot of scan rules that might match on an error that is caused by a null byte injection. If the error message/condition you see does not cause an alert, then we can probably figure out a way to improve ZAP.
Surely ZAP can perform null byte injection, but often that's not an issue. If you application crashes, shows an error message, or does something else out-of the ordinary, then what would that look like? There are a lot of scan rules that might match on an error that is caused by a null byte injection. If the error message/condition you see does not cause an alert, then we can probably figure out a way to improve ZAP.
Nirmal Kumar
Sep 9, 2017, 1:16:31 AM9/9/17
to OWASP ZAP User Group
Hi guttula,
Thanks for your valuable replay.
But Once again,
"Null byte injection" doesn't show a particular alert, based on my code which i have mention already.
Neither it shows any alert about "null byte injection" Nor my application get crashes.
I think the alert for the "null byte injection" must be shown in "path traversal" OR "LDAP" regarding to my given code but it can't.
Thanks Again..
kingthorin+owaspzap
Sep 10, 2017, 5:53:09 PM9/10/17
to OWASP ZAP User Group
As far as I know we don't have a specific scan rule for null byte injection.
I guess your example is ripped directly from http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
It should be fairly simple to script a PoC.
https://github.com/zaproxy/community-scripts/tree/master/active
Nirmal Kumar
Sep 11, 2017, 12:33:53 AM9/11/17
to OWASP ZAP User Group
Thanks for your genius replay.
I have already reviewed this link before you gave me.: http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
It means that ZAP doesn't scan for "null byte injection".
It's need to be add in the scanning rule as "Null Byte Injection".
Need Improvement.
Again thanks a lot all of you.
Simon Bennetts
Sep 11, 2017, 3:47:28 AM9/11/17
to OWASP ZAP User Group
I've raised an issue for this: https://github.com/zaproxy/zaproxy/issues/3877
Although scripts are a great way to quickly add scan rules, I worry that not enough people make use of them.
A new rule written in java would be my preference.
This should be a fairly easy way to get started with ZAP development - anyone fancy giving it a go?
Cheers,
Simon
Although scripts are a great way to quickly add scan rules, I worry that not enough people make use of them.
A new rule written in java would be my preference.
This should be a fairly easy way to get started with ZAP development - anyone fancy giving it a go?
Cheers,
Simon
Nirmal Kumar
Sep 11, 2017, 4:25:51 AM9/11/17
to OWASP ZAP User Group
Thanks a lot for Simon Sir.
I'll try to develop the script manually.
& thanks for raising the issue for "Null Byte Injection".
Reply all
Reply to author
Forward
0 new messages