Sanitize - Null Byte payload

[heldersantovisma]

Hey! Can anyone explain me how to sanitize Null Byte payloads ? Ex: "><%00img src=1 onerror=alert(1)> This example is not being sanitized.

[mganss]

So the input is this?

><%00img src=1 onerror=alert(1)>

I'm getting this as output:

><%00img src=1 onerror=alert(1)>

Do you expect a different output?

[heldersantovisma]

Yes that can be exploited because it can result in "><img src=1 onerror=alert(1)> I'm not really familiarized with Null Byte injection, but it's exploting url enconding. Any advice ? Should I do url decode before sanitizing ? http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection

[mganss]

I don't understand where the possible attack vector is here. After sanitizing, there aren't even angle brackets anymore.

[heldersantovisma]

Sorry maybe I'm not explaining good enough(please lets forget the vulnerability part). My main goal is to strip all html, but recently we discovered that due to this Null Byte attacks) eg: %00 or \0 we could workaround the html sanitization. So this ><%00img src=1 onerror=alert(1)> will become this ><%00img src=1 onerror=alert(1)> and parsing it as json will result in ><img src=1 onerror=alert(1)>

The vulnerability part is on our side because we were not expecting html and the system was decoding it as such.

Any advice on how to sanitize this ?

[mganss]

I took the liberty of adding code formatting to your inline examples.

I'm still confused as to what the actual issue and goals are. Where exactly does the null byte injection get triggered, within C# code or in some other system?

The eventual output ><img src=1 onerror=alert(1)> is not dangerous is it?

What's your desired output?