Error in active scanner “Content-Type: multipart/form-data” -> "java.lang.IndexOutOfBoundsException: Index -1 out of bounds for length 3"

[alejandro ar]

hi

I have an error in the active scanner. An error is generated when the content is “Content-Type: multipart/form-data” and contains more than one field. I do not know if any specific parameters are required when scanning this type of content.

video https://www.youtube.com/watch?v=p52TqWak4HI

ZAP Version: 2.16.1
Operating System: Linux
Architecture: amd64
CPU Cores: 16
Max Memory: 7 GB
Java Version: Flathub 17.0.14

“java.lang.IndexOutOfBoundsException: Index -1 out of bounds for length 3”

I am attaching HTML 4 and HTML 3, the latter generating the error. The scripting is in Jython.
I appreciate your help. 

```html 4.html
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Formulario Completo</title>
    <style>
        /* Estilo opcional para mejorar la apariencia */
        body { font-family: sans-serif; }
        form div { margin-bottom: 15px; }
        label { display: block; margin-bottom: 5px; }
    </style>
</head>
<body>
    <h2>Completa tus datos y sube un archivo</h2>
    <form action="/new/upload4" method="post" enctype="multipart/form-data">      
      <div>
        <label for="archivo">Elige un archivo:</label>
        <input type="file" id="archivo" name="miArchivo" required>
      </div>
      <br>
      <input type="submit" value="Enviar Datos y Archivo">
    </form>
</body>
</html>
```

```html 3.html

<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Formulario Completo</title>
    <style>
        /* Estilo opcional para mejorar la apariencia */
        body { font-family: sans-serif; }
        form div { margin-bottom: 15px; }
        label { display: block; margin-bottom: 5px; }
    </style>
</head>
<body>
    <h2>Completa tus datos y sube un archivo</h2>
    <form action="/new/upload3" method="post" enctype="multipart/form-data">   
      <div>
        <label for="nombre">Nombre:</label>
        <input type="text" id="nombre" name="nombreUsuario" required>
      </div>
      <div>
        <label for="edad">Edad:</label>
        <input type="number" id="edad" name="edadUsuario" min="1" required>
      </div>
      <div>
        <label for="archivo">Elige un archivo:</label>
        <input type="file" id="archivo" name="miArchivo" required>
      </div>
      <br>
      <input type="submit" value="Enviar Datos y Archivo">
    </form>
</body>
</html>
```

```script jython

"""

github : https://github.com/knassar702/scant3r

--

* Coded by : Khaled Nassar @knassar702

* Email : knass...@gmail.com

from org.zaproxy.addon.commonlib.scanrules import ScanRuleMetadata"""

from org.zaproxy.addon.commonlib.scanrules import ScanRuleMetadata

import java.lang.Exception as JavaException

follow_redirects = False

def scanNode(sas, msg):

pass

rce_payloads = {

'''

cat${IFS}/etc/passwd''':'root:x:0:0',

'''

cat /etc/passwd''':'root:x:0:0',

'''

uname''':'gid='

}

def scan(sas, msg, param, value):

for payload,message in rce_payloads.items():

msg = msg.cloneRequest();

try:

sas.setParam(msg, param, payload);

print("pasa parametro {}".format(param))

except JavaException as e:

print("setParam fallo aun cuando el parametro existe:{}".format(param), e)

continue

print("pasa2")

sas.sendAndReceive(msg, follow_redirects, False);

if message in msg.getResponseBody().toString():

sas.newAlert() \

.setRisk(3) \

.setConfidence(3) \

.setName('Remote Code Execution (Script)') \

.setDescription('Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, or improper calling of external programs.') \

.setUri(msg.getRequestHeader().getURI().toString()) \

.setParam(param) \

.setAttack(payload) \

.setEvidence(message) \

.setMessage(msg) \

.raise();

def getMetadata():

return ScanRuleMetadata.fromYaml("""

id: 988787

name: test

description: test.

solution: test.

references:

- https://owasp.org/

category: INJECTION

risk: 3

confidence: HIGH

cweId: 89

wascId: 19

alertTags:

sql-injection: true

injection: true

error-based: true

otherInfo: test.

status: beta

""")

```