File Upload failed with "Reached EOF, but there is no closing MIME boundary" error through ZAP proxy
1,593 views
Skip to first unread message
redc...@gmail.com
Nov 21, 2014, 6:36:50 PM11/21/14
to zaprox...@googlegroups.com
I'm currently evaluating ZAP for security testing of our REST services. When I ran our functional tests though ZAP as the proxy server, I encountered the following error for one of our REST service used for file upload (Content-Type: multipart/form-data).
<?xml version="1.0" encoding="UTF-8"?>
<problem xmlns="urn:ietf:rfc:XXXX-draft-ietf-appsawg-http-problem-00">
<type>http://identifiers.emc.com/problem/bad-request</type>
<title>Reached EOF, but there is no closing MIME boundary.</title>
<status>400</status>
</problem>
The upload is war file and the file size is around 530 KB. I tried with different file formats such as txt, pdf of the same size or bigger and received the same error. When I tried to upload a file size of 100 KB, I did not see this error. It looked like there is a size limitation in HTTP request/response with ZAP as the proxy server (intercepting proxy).
When using the direct direction with our REST services, our tests are working as expected. For further testing, I also ran our tests through Charles Debugging Proxy (http://www.charlesproxy.com/) and Fiddler (http://www.telerik.com/fiddler) and I did not see the same error when uploading the war file of 530 KB or bigger.
So the problem is now pointing to ZAP when it's proxying the multipart/form-data request of a bigger payload. Attached are raw HTTP request and response captured in ZAP if it helps in debugging this problem.
Please let me know if you have seen this problem in ZAP before or any suggestions on how to resolve and fix this problem.
Thanks,
Phong
redc...@gmail.com
Nov 21, 2014, 7:20:41 PM11/21/14
to zaprox...@googlegroups.com
By the way, I'm using ZAP Version 2.3.1 on both Linux and Windows.
Regards,
Phong
kingthorin+owaspzap
Nov 25, 2014, 8:25:41 PM11/25/14
to zaprox...@googlegroups.com
I'd suggest trying the latest weekly. I know that some changes have been implemented with regard to multipart/form-data requests since 2.3.1 was rolled.
http://sourceforge.net/projects/zaproxy/files/weekly/
http://sourceforge.net/projects/zaproxy/files/weekly/
Simon Bennetts
Nov 26, 2014, 11:23:24 AM11/26/14
to zaprox...@googlegroups.com
No, the weekly release still fails, somewhere between 124kb and 129kb :(
I'll have a look into it...
I'll have a look into it...
Simon Bennetts
Nov 26, 2014, 1:06:44 PM11/26/14
to zaprox...@googlegroups.com
Found and fixed :)
https://code.google.com/p/zaproxy/source/detail?r=5556
This fix will be in the next weekly release.
Or you can pull the latest code down from either the trunk or the 2.4 branch.
Thanks for reporting this.
Simon
https://code.google.com/p/zaproxy/source/detail?r=5556
This fix will be in the next weekly release.
Or you can pull the latest code down from either the trunk or the 2.4 branch.
Thanks for reporting this.
Simon
redc...@gmail.com
Dec 10, 2014, 5:07:22 PM12/10/14
to zaprox...@googlegroups.com
Thanks for fixing the bug Simon! I will pick up ZAP latest weekly build and continue my evaluation of ZAP for testing our REST services.
Thanks,
Phong
Reply all
Reply to author
Forward
0 new messages