 Hi everyone, I'm Daniel. I'd like to talk a little about a little glitch in the Java web application world about null bytes that if under circumstances, if the weather is just right and the moon is right, you might get command execution. Next slide. So null bytes are by no means new, right? So this class of vulnerabilities has been around for a while ever since someone decided that it's a good idea to terminate strings with a null byte in C. So everyone probably has seen something like that where this is a PHP application where you try to open a file and you give it a prefix and you give it an appendix and in the middle there is an attacker control string. So now what an attacker can do is he can get around to prefix the images folder by just putting dot dot slash in front of the path that he specifies. And to get rid of the dot jpeg at the end, it's a little bit harder but he can use a null byte because when that string is passed on to the underlying C library, the string will get cut off at the null byte because C thinks the string is terminated. Next slide. So wouldn't it be nice to have something like that for uploads as well? This is a regular upload request as your browser sends it when you upload a file. And as you can see, the file name is sent in a content disposition header in the segment that is for the uploaded file. And that content disposition header has an attribute called file name and that just carries the name of the file. Now, the naive approach slide would be to just use as in the URL a %00 to indicate the null byte. However, that doesn't work because the file name in there isn't URL encoded. So that %00 will never be decoded and you will end up with a file that has the name pit.jsp%00.jpeg, which doesn't get you anywhere, right? Because you want the extension of the file to be jsp to execute a code and not .jpeg. Now, another approach is to use, next slide, please, to use a literal null byte. So historically, this never used to work because web servers were written in C, right? And when the web server receives this request, it will just see that content disposition header right until the .jsp. And the web application framework is probably going to automatically correct that for you that the quote is open and just send the string file.jsp on to the web application framework into your web application. So the application will see that the extension is actually .jsp and will not allow the file to be stored. Now, as it turns out, nowadays, actually there's a bunch of web servers that aren't written in C, but that are written in Java. And for Java, this null byte in the string is a perfectly valid character. So basically what's going to happen if you upload something like that to, say, Tomcat. The Tomcat will just pass this request with the entire line including the null byte on to the web application framework. You're probably going to use something like Apache Commons file uploads. Apache Commons file uploads is just going to put the entire string that is in the file name parameter into a class property and will pass that on to the web application itself. Now, if the web application doesn't take care, it will validate the string, and it will read everything after the last dot, which is .jpack. Extend time. And will say yes, that's a valid file and write it to disk, but when it's actually written to disk, it will end up having the .jsp extension next slide. So what can you do about it? Never just store a file on disk with an attack-controlled file name, just use an arbitrary file name that you chose yourself, because otherwise you might have collisions anyway if two people upload a file with the same file name. And also it's not a good idea at all to, like, serve files from your main domain where you have authentication cookies, because you will be vulnerable to cross-site scripting. Thank you. Do you want to take one quick question with your next 23 seconds? Repeat the question. Repeat the question. What about the weather? Why does it not work sometimes? Well, sometimes if a web application doesn't allow file uploads or doesn't have the necessary functionality or isn't written in Java, it doesn't work. Oh, cool.