File upload: Modify a POST HTTP request body with binary data

[nnamidc]

Dear All,

This question probably originate from a lack of elementary knowledge about file formats, encodings etc... which I would really like to improve. Although it seem the lack is so big I could not find the correct keywords to search for info. So any resources about this topic would be very much appreciated. 

Secondly, the real question, I'm testing a file (picture) upload. The upload is a POST request with the real file content-type (e.g. image/png) not multipart and the binary (at least I suppose) file content in the request body.

Client side validation is rather strict/rigid so I prefer to intercept and modify the upload request instead of trying to bypass it.

My question is how can I modify the original request body (binary data) by the content of another file? When I replace the request body I always get a 500 response from the server even when I use the original file content but then copy-pasted. It seems like copy-paste removes/add something and visually indeed the formatting in the request tab is different.

I'm sure the client side is not processing the uploaded file before generating the request because when I save the request body to a raw file and compare it with the original uploaded file it's identical. So it must be related to how I obtain the content (e.g. via cat but also tried other ways) and the copy-paste in the request body tab.

As I really want to replace the complete file it's not (or at least seems with my knowledge) to use the HEX view in ZAP.

More than just having a solution I would like too understand what is happening here as I know my knowledge on this area is still limited.

Many thanks for your time and your help.

Best regards,

Sam

[nnamidc]

Dear,

Did some further testing and would like to share my findings:

1) using xclip

Works fine but not inside ZAP and many other applications.

When I copy-paste normal text it works OK but when I copy-paste the file-content of e.g. a png image nothing is pasted inside the request body in ZAP. Tried all selections and different targets but all have the same result.

2) shift+ctrl+v

When pressing shift+ctrl+v In ZAP a list of different copied items is shown but it seems it only contains items who where copied inside ZAP and not from other applications.

3) BURP

In BURP repeater you have and option in the menu "Paste from file" to include the file content which is the exact file content not modified or formatted

So this is a solution for the specific use case explained above. As far as I know this feature "Paste for file"  is not available in ZAP but I could have missed it?

Is there any work around or is it on the roadmap to add?

As my last questions are somewhat off topic I have create a new conversation for this.

Many thanks in advance.

Best regards,

Sam