: Open your browser and go to http:// /ftp/ . Identify the Target : Locate package.json.bak .
The server checks the end of the filename to ensure it matches an approved extension. You can trick the server into ignoring everything after the .bak extension by inserting a null character.
: Append the null byte followed by a "fake" valid extension to your request. Your final URL should look like this: http:// /ftp/package.json.bak%2500.md question #3 download the backup file
To solve in the OWASP Juice Shop room on TryHackMe , you must bypass a server-side file extension filter using a technique known as a Poison Null Byte . Understanding the Challenge
: Since you are downloading via a URL, you must use a URL-encoded Poison Null Byte , which is %2500 . : Open your browser and go to http:// /ftp/
This vulnerability occurs when an application uses lower-level libraries (often C-based) to handle files. In these languages, a null character ( \0 ) signals the end of a string. By injecting %2500 , you essentially tell the application: "Look at the whole string for your security check, but stop reading here when you actually go to get the file". OWASP Juice Shop - TryHackMe
In this task, your objective is to access a sensitive backup file located in the /ftp/ directory of the web server. While exploring the directory, you will find a file named package.json.bak . However, if you attempt to download it directly, the server returns a error, stating that only .md and .pdf files are allowed for download. Step-by-Step Solution You can trick the server into ignoring everything after the
: The server sees the .md at the end and allows the download, but the underlying file system stops reading at the null byte, serving you the package.json.bak file instead. Why This Happens