Problem with importing/scanning OpenApi with multipart/form-data

[Adrian M]

Hi,

ZAP does not seem to be able to properly identify the multipart form-data inside OpenApi/Swagger specifications.

In order to illustrate the issue, I have taken the petstore Swagger (https://petstore.swagger.io/v2/swagger.json), imported it into the Editor (https://editor.swagger.io/) and converted it to an OpenApi definition.

I have actually tried both Swagger(v2) and OpenApi(v3) and there seem to be the same behaviour.

Inside the Petstore definition, there is a POST operation to upload an image using multipart form-data for a file.

Now, the problem lies when importing this openapi into ZAP, as it does not seem to properly identify/attack the parameters from the multipart form-data (note there is no Content-Type and the body is empty):

If a call is made to this path using a client (i.e. Postman) and having ZAP in proxy mode, then ZAP will correctly show the Content-Type and show the proper body with boundaries and Content-Disposition.

Example:

Header

Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

Body:

------WebKitFormBoundary7MA4YWxkTrZu0gW--,------WebKitFormBoundary7MA4YWxkTrZu0gW--

Content-Disposition: form-data; name="file"; filename="/test.txt

------WebKitFormBoundary7MA4YWxkTrZu0gW--

Note: ZAP has the Multipart Form-data input vector enabled in the Active scan, but there seem to be no difference in properly identifying the multipart form-data parameters and being able to attack them.

Unless I am missing something, the only way of scanning multipart form-data requests is to proxy them thorough ZAP, and not use the openapi import

[thc...@gmail.com]

Hi.

I don't think the OpenAPI add-on currently produces multipart content.
I'd suggest raising an issue.

Best regards.

On 25/01/2021 18:00, Adrian M wrote:
> Hi,
>
> ZAP does not seem to be able to properly identify the multipart form-data
> inside OpenApi/Swagger specifications.
>
> In order to illustrate the issue, I have taken the petstore Swagger
> (https://petstore.swagger.io/v2/swagger.json), imported it into the Editor
> (https://editor.swagger.io/) and converted it to an OpenApi definition.

> *I have actually tried both Swagger(v2) and OpenApi(v3) and there seem to
> be the same behaviour.*

>
> Inside the Petstore definition, there is a POST operation to upload an
> image using multipart form-data for a file.
>
> Now, the problem lies when importing this openapi into ZAP, as it does not
> seem to properly identify/attack the parameters from the multipart
> form-data (note there is no Content-Type and the body is empty):
> [image: petstore_multipart_zap.png]
>
> If a call is made to this path using a client (i.e. Postman) and having ZAP
> in proxy mode, then ZAP will correctly show the Content-Type and show the
> proper body with boundaries and Content-Disposition.
> Example:

> *Header*
> Content-Type: multipart/form-data;
> boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
>
> *Body:*

[Adrian Marian]

I've created a feature request for this in the ZAP repo:

https://github.com/zaproxy/zaproxy/issues/6418

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/YYYnjpLKZUw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/cb6f4a52-3e2d-0e88-3f38-bd7309e769e9%40gmail.com.

[thc...@gmail.com]

Thank you!

Best regards.