So my co-worker Eric Sheridan was talking about an attack scenario in one of our recent assessments where he left a note to the effect of, “we could download any file with this vulnerability if null byte injections work in Java – testing needed”. Interesting. Five minutes later I’ve got some test cases and as [...]