Exploiting null byte (0x00) handling differences to truncate strings, bypass extension checks, or terminate paths prematurely.
Null Byte Injection exploits how different programming languages and systems handle null bytes (0x00 or %00). In C-based systems, null bytes terminate strings, which can truncate input and bypass extension checks or filters.
When a null byte is injected into input, some systems (especially those using C libraries) will treat it as the end of the string, while the application logic may process the full input before passing it to these systems.
# Application checks file extension
Uploaded: shell.php%00.jpg
# PHP validation sees: shell.php%00.jpg (ends with .jpg) → PASS
# Filesystem (C-based) sees: shell.php (null terminates)
# Result: PHP file saved and executable# LFI with extension appending
include($_GET['page'] . '.php');
# Attack: ?page=../../../etc/passwd%00
# App builds: ../../../etc/passwd%00.php
# System reads: ../../../etc/passwd (null truncates .php)Most modern languages and frameworks now properly handle or reject null bytes. PHP 5.3.4+ throws an error on null bytes in paths. However, legacy systems may still be vulnerable.
%00 - URL encoded
\0 - Escape sequence
0x00 - Hex
\x00 - Hex escape