More about		Changing settings	Security Holes
Java JavaScript/JScript Visual Basic Script ActiveX	Cookies XPI extensions Phishing Copy-Paste	Firefox Internet Explorer 6.0 Internet Explorer 7.0 Opera	Internet Explorer Firefox / Mozilla

Internet Explorer - NUL Demos

Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. You can embed NUL characters at any place in an HTML document, even inside of tags. IE parses the file, as if they were not there. This pages illustrates this with different demos. To check, how your Antivirus or Content Security solution handles NUL characters there are several versions of the demo:

1. Original: a demo without NUL characters
2. single NUL: inserted one NUL character
3. multiple NUL: every other char is NUL (only in the relevant part)
4. UTF-16: file converted to UTF-16, sent with wrong Content-Type: text/html; charset=iso-8859-1
5. UTF-32: file converted to UTF-32, sent with wrong Content-Type: text/html; charset=iso-8859-1
6. 4097: inserted multiple blocks with 4097 NULs

Note: All the demos have been verified to work with Internet Explorer, exploits were tested with vulnerable versions of IE. The demos are designed to do no harm to your system (although we do not guarantee for this). However, the exploit demos can and in fact should trigger Antivirus software and Intrusion Detection/Prevention Systems.

JavaScript

This demo opens a JavaScript alert box:

<script>alert("Hello world");</script>

1. Original
2. single NUL
3. multiple NULs
4. UTF-16
5. UTF-32
6. 4097

Exploit for ADODB hole (MS03-048)

Note: This demo exploit tries to create and execute the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions.

1. Original
2. single NUL
3. multiple NULs
4. UTF-16
5. UTF-32
6. 4097

Exploit for mhtml hole (MS04-013)

Note: This demo exploit tries to create the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions.

1. Original
2. single NUL
3. multiple NULs
4. UTF-16
5. UTF-32
6. 4097