While blackbox testing of web-application, I found some unexpected behavior. Request body of original request, sent by browser, contained post parameter like this:
After some fuzzing, application returned 500 (Internal Server Error) on queries that started by %00 (null byte), followed by characters not equal to %09, %0a (new line), %0b, %0c, %0d and %20 (space). If it is followed by one more null byte, or one of already mentioned characters, it behaves properly.
I’m pretty new to web testing, and wondered what can cause this, and is it really unexpected behavior.
I suggested this code to execute some code and sanitizing other characters like “, ‘ and others to prevent command injection, but null byte terminates string with the command, so the command goes wrong (for example, missing ‘ or ” in the command), but why it needs other character after the null byte?
Or maybe this is related to specialized functions to send mail in other languages?
Also, I thought about database processing, but it still does not make sense, why we need this characters in the end, and why new line, space and others, changes the behavior.
What could lead to this behavior, and is it worthy point to research deeper?