Security Advisories

Trustwave Press Releases

« [Honeypot Alert] Simple Page Options Module for Joomla! Local File Inclusion Attack Detected | Main | TWSL2012-002: Multiple Vulnerabilities in WordPress »

23 January 2012


Hi Adrián,

You're absolutely right. Browsers will take characters with special meaning like the null byte or the percent sign and encode them to prevent mucking up the processes working with the data. As we're entering encoded data, we need to do it in such a way that the browser won't encode it again. One way of doing this, as you mentioned, is to put the data directly in the URL.

If the data isn't being submitted as a GET parameter (i.e. in the URL) we can use an intercepting proxy such as Burp Suite to modify the request and include our null byte.

It's great to hear feedback about the tool, especially that people like yourself are enjoying it! More challenges are in the works for both SQLol and XMLmao, so stay tuned!



I've downloaded XMLmao v0.3 and for this null byte trick to work, you have to change it directly in the URL, because if you put %00 into the text box, is being encoded as %2500 in the URL and this won't work.

The tool is great, create more challenges please!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment