James,
On 5/9/25 11:43 AM, James H. H. Lampert wrote:
One of the customers whose Tomcat installation we manage brought up the
possible threat of null byte injection.
Is there anything within Tomcat itself that can mitigate this?
Or is it purely something I need to take up with our webapp people?
I guess that depends upon what you are primarily worried about.
Null byte injection can be used to attack all kinds of things that
aren't careful about such things.
Tomcat primarily cares about things like HTTP headers and URLs and such.
In all of those cases, injecting a null-byte ends up causing mismatches
of things like header names and URL patterns, so generally you are not
exposed to any issues such as path-traversal or security-constraint
bypasses.
A lot of this comes from the fact that Tomcat is written in Java which
does not use null-terminated strings. A null byte in a string in Java is
not special in any way, and so it can't be used to prematurely terminate
a string that should otherwise be considered to be longer.
You may have downstream data storage or programs that are susceptible to
null-byte injection, and Tomcat itself can't really help with that. You
could use something like a Web Application Firewall to inspect all your
traffic looking for such things, but just remember that any document you
upload to a web application is very likely to have null bytes in it, and
they are usually perfectly innocent. So "rejecting any request
containing a null byte" is heavy-handed and usually breaks things.
Hope that helps,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
