How does a Embedding NULL Bytes attack work?

It typically unfolds over 3 phases. It begins with: [Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

How do you prevent CAPEC-52?

Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.

What weaknesses does CAPEC-52 target?

CAPEC-52 exploits 7 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-158 (Improper Neutralization of Null Byte or NUL Character), CWE-172 (Encoding Error).

How severe is CAPEC-52?

MITRE rates CAPEC-52 as High severity with high likelihood of attack.

CAPEC-52: Embedding NULL Bytes

An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).

Last updated June 1, 2026

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
- Manually inspect the application to find entry points.
Step 2
Experiment
[Probe entry points to locate vulnerabilities] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

Examples

Directory Browsing Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an adversary could insert a bogus username such as ../../../../../WINDOWS. If the adversary needs to remove the trailing string /reports, then they can simply insert enough characters so the string is truncated. Alternatively the adversary might apply the postfix NULL character (%00) to determine whether this terminates the string. Different forms of NULL to think about include PATH%00 PATH[0x00] PATH[alternate representation of NULL character] %00

Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote adversaries to execute arbitrary code. The problem specifically exists upon retrieving a link of the following form: GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1 Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an adversary to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here: 0x77F83AE5 MOV EAX,[EDI+8] 0x77F83AE8 MOV ECX,[EDI+C] ... 0x77F83AED MOV [ECX],EAX The register EDI contains a pointer to a user-supplied string. The adversary therefore has control over both the ECX and EAX registers used in the shown MOV instruction. Successful exploitation allows remote adversaries to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat. An adversary does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script. Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [REF-445]. See also: CVE-2004-0629

Consider the following PHP script: $whatever = addslashes($_REQUEST['whatever']); include("/path/to/program/" . $whatever . "/header.htm"); A malicious adversary might open the following URL, disclosing the boot.ini file: http://localhost/phpscript.php?whatever=../../../../boot.ini%00

CAPEC-52: Embedding NULL Bytes

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-52?

How does a Embedding NULL Bytes attack work?

How do you prevent CAPEC-52?

What weaknesses does CAPEC-52 target?

How severe is CAPEC-52?

References

Defend against CAPEC-52

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-52?

How does a Embedding NULL Bytes attack work?

How do you prevent CAPEC-52?

What weaknesses does CAPEC-52 target?

How severe is CAPEC-52?

References

Defend against CAPEC-52