Null Byte Injection exploits how different programming languages and systems handle null bytes (0x00 or %00). In C-based systems, null bytes terminate strings, which can truncate input and bypass extension checks or filters.
When a null byte is injected into input, some systems (especially those using C libraries) will treat it as the end of the string, while the application logic may process the full input before passing it to these systems.
# Application checks file extension
Uploaded: shell.php%00.jpg
# PHP validation sees: shell.php%00.jpg (ends with .jpg) → PASS
# Filesystem (C-based) sees: shell.php (null terminates)
# Result: PHP file saved and executable# LFI with extension appending
include($_GET['page'] . '.php');
# Attack: ?page=../../../etc/passwd%00
# App builds: ../../../etc/passwd%00.php
# System reads: ../../../etc/passwd (null truncates .php)Most modern languages and frameworks now properly handle or reject null bytes. PHP 5.3.4+ throws an error on null bytes in paths. However, legacy systems may still be vulnerable.
%00 - URL encoded
\0 - Escape sequence
0x00 - Hex
\x00 - Hex escape