26

I am testing an ASP.NET web form which needs to filter out null characters from input.

To test this functionality, how can I actually type a null character in the html form? I've tried Alt+0 but it does not work.

I know I can do it in a GET request by using "%00" in the URL. However, I want to do it in a form POST.

frankadelic
  • 20,543
  • 37
  • 111
  • 164
  • 3
    You want to know how to type nothing, in a way. – Joe Aug 05 '11 at 18:52
  • I mean the null character, "\0". In unicode, it is \x00. – frankadelic Aug 05 '11 at 18:56
  • 1
    If you specifically want to know about typing/pasting it (instead of finding a programmatic/automated solution), you might be better off asking that on superuser.com, though a quick search there seems to indicate it's not possible. – mercator Aug 09 '11 at 20:39
  • Why would you need to test that? It's pretty straight forward, remove all forbidden characters/code points in the input that's coming to your server and you should be fine. A simple unit test in C# can validate such code. – Rivenfall Mar 27 '18 at 09:29
  • Anyone know HOW in a modern browser a normal user may end up sending this. I received the following input in JSON `{ "address1": "1234 New York \u0000\u0000\u0000\u0000\u0000\u0000 Avenue " }` from a real customer and have no idea how they managed to do that! – Simon_Weaver Jun 23 '20 at 02:24
  • 1
    @Simon_Weaver They probably were using some buggy form autofill plugin. – thelr Aug 04 '21 at 19:02

7 Answers7

8

I was able to do this using TamperData Firefox plugin.

https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

When given the Tamper Popup I typed "%00" in the Post Parameter Value field.

Still, I cannot find a way to type a null character just using the keyboard.

Community
  • 1
  • 1
frankadelic
  • 20,543
  • 37
  • 111
  • 164
  • I loved TamperData. I use Chrome now, but I sometimes reflect over what I lost when I switched to Chrome... – Austin Burk Feb 21 '14 at 13:46
  • @Pacerier Nope. Closest I've been able to get is tripping the debugger on 'All xmlhttprequests' and tracing it back to the source JavaScript. Nothing has matched up to it so far. – Austin Burk Feb 05 '15 at 12:27
4

my suggestion would be to write the null character to an html element you would like it in ex:

    document.getElementByID("my_null_tag").innerHTML += "\0"
Jonathan H.
  • 41
  • 3
2

You can use an HTML entity. Not fully sure of how many zeroes are required but:

�

For an arbitrary Unicode character it's easier to use the hexadecimal notation. E.g., ㍝ prints ㍝ wich is U+335D.

Update: This question is pretty tricky indeed. I've managed to insert a null character inside an HTML document (using a server-side script and verified with an hexadecimal editor). As expected, there is no difference with the HTML entity, which can be either � or �. But the browser does not send the character in the post request (tested with Firefox and Firebug): it sends %EF%BF%BD, which is REPLACEMENT CHARACTER' (U+FFFD). Exactly, it sends the interrogation mark in a box that's used to print the null in the document (given that null is not printable).

My guess is that your testers need to script the task.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
0
<html>
    <body onload='document.forms[0].submit();'>
        <form method="post" action="http://localhost/test.asp" >
            <input type="hidden" name="param" value="%00">
        </form>
    </body>
</html>
Pierre Ernst
  • 514
  • 3
  • 7
  • 1
    I want something QA testers can actually type in their browser. – frankadelic Aug 05 '11 at 18:57
  • 1
    Because of the way the OS clipboard is implemented, there is no chance a QA tester can paste a NULL byte into a field. I would suggest that you create an HTML file like the example above and have the QA tester browse to it. If you want the QA tester to have more freedom (choosing which field should receive the NULL byte) consider implementing an ASP page that would automatically parse the query string and build an auto-submitting form like the one provided – Pierre Ernst Aug 05 '11 at 19:23
  • If paste is not an option, can a null byte be simply typed via some control sequence? – frankadelic Aug 05 '11 at 20:12
0

Use AJAX to submit the form. I.e. paste something like this in the address bar instead:

javascript:(function(){var xhr=new XMLHttpRequest();xhr.onreadystatechange=function(){if(this.readyState==4){document.write(this.responseText)}};xhr.open("POST",'/form',true);xhr.send("\0");})()

Here it is unwrapped, so you can actually see it:

(function() {
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function () {
        if (this.readyState == 4) {
            document.write(this.responseText);
        }
    };
    xhr.open("POST", '/form', true);
    xhr.send("\0");
})()

There are some limitations to this, of course, since it just blindly replaces the content of the current page with whatever it got back. But this might be enough to tell if something went wrong or not.

mercator
  • 28,290
  • 8
  • 63
  • 72
0

This answer from Jonathan H. didn't really work for me, but it did put me on the right path. What did work was to set the .value attribute of the HTML element (via the browser dev tools console), and then submit the form.

document.getElementByID("element-id").value = "some text with a null byte\0"
Miguel Ferreira
  • 1,282
  • 11
  • 27
-2

A Latin character O with a slash through it is often acceptable as a symbol for Null/Nul (or blank if you prefer). If you are using database-driven applications you'll want to sanitize this symbol to replace with null or blank, depending on your needs.

How to do it: ALT + 0216 in your favorite editor should give you Ø - which is, for this display purpose, Null.

Then, as an example and a best practice, you'll sanitize the form submission before it gets passed to the database.

Example Case: If feeding a database-driven PHP site, your sanitation of this specific character this might look something like...

$dbstring = str_replace(Ø,NULL); and the value will be NULL

Or try...

$dbstring = str_replace(Ø,""); and the value will be BLANK

! alternatively, you may want to do this display with the HTML entity codes, which I mention below.

Alt + 0216 explained If using a normal 104-key keyboard with English (American) set as your primary language, hold down the ALT key, and while holding, use the NUMBER PAD keys to enter 0216. Then release the ALT key, and your character should appear. *This is primarily a Windows method. Macintosh, (X)nix and bsd users, you will probably be stuck using the HTML entity codes.

Special note: use of the top-of-keyboard numbers doesn't work. If you are on a laptop or other device that makes this difficult or impossible. try an alternative: Use the HTML entity codes:

&Oslash; = Ø (usually for null)
&oslash; = ø (could be used, but the upper-case version seems more appropriate.)

Other thoughts that might be helpful: Nul vs Null vs Blank - They fundamentally mean the same thing, but different programming languages use or require these differently. (There's others too, like NULPTR for Null Pointer.)

The point I'm trying to make with NUL/NULL, is that the submitted variable 'doesn't exist' or simply 'wasn't there at all'. In most contexts, you can simply call this "Null" and be understood.

Some database systems treat Blank and NULL as the same thing. Others, Blank is actually an empty value, whereas NULL is no value at all (like mentioned above.)

Hopefully this helps in building the view you're looking for.

Nathan Tuggy
  • 2,237
  • 27
  • 30
  • 38
QuakeDragon
  • 11
  • 1
  • In case it isn't obvious, this answer explains how to use a special character that would be interpreted by humans as representing "null". The original question is actually asking about the character that COMPUTERS interpret as null - usually represented by a 0 value in whatever encoding the character set uses (https://en.wikipedia.org/wiki/Null_character#Representation) – thelr Aug 04 '21 at 19:07