Cant figure out Path Traversal isssue in code
365 views
Skip to first unread message
Texas Ranger
Jun 22, 2016, 12:05:02 PM6/22/16
to OWASP ZAP User Group
Hi,
I'm new to ZAP and also SDL. I tested my application (ASP.NET MVC) with ZAP. It found a High level issue with few URLs - "Path Traversal (CWE 22, WASC ID 33)".
How can I see what exactly ZAP tried or what exactly works? I mean, how can I replicate the problem and see the issue so that I know what to fix. I couldn't figure out how there could be a path traversal possible other than ASP.NET MVC letting you use "../" in path and it is interpreted as previous folder but user cannot escape beyond the web folder. But this would be problem for all URLs not just the few URLs ZAP reported to have problem. And there is no "file system" access in these URLs so I'm not using values from URL to locate file in file system so the problem must be with ASP.NET or IIS but I have no clue.
Any help is appreciated. Thanks for your help.
I'm new to ZAP and also SDL. I tested my application (ASP.NET MVC) with ZAP. It found a High level issue with few URLs - "Path Traversal (CWE 22, WASC ID 33)".
How can I see what exactly ZAP tried or what exactly works? I mean, how can I replicate the problem and see the issue so that I know what to fix. I couldn't figure out how there could be a path traversal possible other than ASP.NET MVC letting you use "../" in path and it is interpreted as previous folder but user cannot escape beyond the web folder. But this would be problem for all URLs not just the few URLs ZAP reported to have problem. And there is no "file system" access in these URLs so I'm not using values from URL to locate file in file system so the problem must be with ASP.NET or IIS but I have no clue.
Any help is appreciated. Thanks for your help.
kingthorin+owaspzap
Jun 22, 2016, 1:42:02 PM6/22/16
to OWASP ZAP User Group
The alert should give you the details, check the "Parameter" field and the "Evidence" field, additionally review the request and response (in the req/resp tabs when the alert is selected) to see what ZAP did and got back when performing the test.
Texas Rookie
Jun 22, 2016, 4:37:19 PM6/22/16
to zaprox...@googlegroups.com
Evidence field is empty. Parameter field shows a parameter that's been persisted in the database and then shown back to user on the web page. That's all in the code. I can't think of a way how that could be used for "path traversal".
Shouldn't ZAP show the value of the parameter used that caused the alert? On Wed, Jun 22, 2016 at 12:42 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
The alert should give you the details, check the "Parameter" field and the "Evidence" field, additionally review the request and response (in the req/resp tabs when the alert is selected) to see what ZAP did and got back when performing the test.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/YIWK6mRlHNg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a4fa0d14-4809-4f2f-a8da-49e0740dd564%40googlegroups.com.
kingthorin+owaspzap
Jun 22, 2016, 5:25:29 PM6/22/16
to OWASP ZAP User Group
Parameter should be the name of the impacted parameter.
Texas Rookie
Jun 22, 2016, 5:34:06 PM6/22/16
to zaprox...@googlegroups.com
How about the parameter value used that resulted in alert? Is there any place I can see that ?
On Wed, Jun 22, 2016 at 4:25 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
Parameter should be the name of the impacted parameter.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/YIWK6mRlHNg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c52f4803-a8da-4688-a64e-5ffd9bbed533%40googlegroups.com.
thc...@gmail.com
Jun 22, 2016, 5:38:41 PM6/22/16
to zaprox...@googlegroups.com
Which version of ZAP are you using? And which version of "Active scanner
rules" add-on? [1]
That should be shown in the Attack field, isn't it?
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons
Best regards.
On 22/06/16 22:34, Texas Rookie wrote:
> How about the parameter value used that resulted in alert? Is there any
> place I can see that ?
>
>
>
> On Wed, Jun 22, 2016 at 4:25 PM, kingthorin+owaspzap
> <kingt...@gmail.com <mailto:kingt...@gmail.com>> wrote:
>
> Parameter should be the name of the impacted parameter.
>
> --
> You received this message because you are subscribed to a topic in
> the Google Groups "OWASP ZAP User Group" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/zaproxy-users/YIWK6mRlHNg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>.
> You received this message because you are subscribed to the Google
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> <https://groups.google.com/d/msgid/zaproxy-users/CABkx1WQOLSzkn7TXf4CWfDQd%3DfTv673a1z65ps_NN_-Vtmg8hg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
rules" add-on? [1]
That should be shown in the Attack field, isn't it?
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons
Best regards.
On 22/06/16 22:34, Texas Rookie wrote:
> How about the parameter value used that resulted in alert? Is there any
> place I can see that ?
>
>
>
> On Wed, Jun 22, 2016 at 4:25 PM, kingthorin+owaspzap
> <kingt...@gmail.com <mailto:kingt...@gmail.com>> wrote:
>
> Parameter should be the name of the impacted parameter.
>
> --
> You received this message because you are subscribed to a topic in
> the Google Groups "OWASP ZAP User Group" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/zaproxy-users/YIWK6mRlHNg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> zaproxy-user...@googlegroups.com
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/c52f4803-a8da-4688-a64e-5ffd9bbed533%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> https://groups.google.com/d/msgid/zaproxy-users/c52f4803-a8da-4688-a64e-5ffd9bbed533%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/CABkx1WQOLSzkn7TXf4CWfDQd%3DfTv673a1z65ps_NN_-Vtmg8hg%40mail.gmail.com
> <https://groups.google.com/d/msgid/zaproxy-users/CABkx1WQOLSzkn7TXf4CWfDQd%3DfTv673a1z65ps_NN_-Vtmg8hg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Texas Rookie
Jun 23, 2016, 10:12:12 AM6/23/16
to zaprox...@googlegroups.com
ZAP 2.5.0
Active Scan version 23To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/576B055E.3020205%40gmail.com.
Dan Sullivan
Jul 26, 2016, 11:38:08 AM7/26/16
to OWASP ZAP User Group
For this issue should there be some kind of evidence in a log and not just in the Zap scanning report?
> <mailto:zaproxy-users+unsub...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages