When sending the ASCII control character null (hexadecimal 00) in the query string of an URI, IIS returns a 400 (Bad Request). Tomcat passes the null to the web application. But Apache returns a HTTP entity (the HTML code), but no HTTP headers. Additionally the URI is truncated (the null and everything after it is missing).<\/p>\n
If you have a local apache running, try this python script (you need to have a index.html or index.php in your root directory):<\/p>\n
\r\nimport urllib2\r\nprint 'Valid request:'\r\nprint urllib2.urlopen('http:\/\/localhost\/?abc=123&def=456_VALID').read()\r\nprint ''\r\nprint 'Invalid request:'\r\nprint urllib2.urlopen('http:\/\/localhost\/?abc=123'+chr(0)+'&def=456_INVALID').read()\r\n<\/pre>\nIf you watch it with wireshark you will see that the answer to the second request has no HTTP headers. The apache access.log will look like this:<\/p>\n
\r\n::1 - - [09\/Jun\/2010:16:44:41 +0200] "GET \/?abc=123&def=456_VALID HTTP\/1.1" 200 321 "-" "Python-urllib\/2.6"\r\n::1 - - [09\/Jun\/2010:16:44:41 +0200] "GET \/?abc=123" 200 94 "-" "-"\r\n<\/pre>\nEric Covener of the apache project:<\/p>\n
The null in the invalid URL causes the request line to be terminated before the rest of the URL or the protocol. The response (no headers) is “HTTP 0.9” described here: <\/p>\n
http:\/\/www.w3.org\/Protocols\/HTTP\/AsImplemented.html<\/p><\/blockquote>\n
You can find my (invalid) bug report here<\/a>. I think this can only be used for web server fingerprinting. Or if there is a client (e.g. a browser) that sends the null character as well, there might be some changes for header injection.<\/p>\n","protected":false},"excerpt":{"rendered":"When sending the ASCII control character null (hexadecimal 00) in the query string of an URI, IIS returns a 400 (Bad Request). Tomcat passes the null to the web application. But Apache returns a HTTP entity (the HTML code), but … Continue reading