How to upload a file with zap
1,103 views
Skip to first unread message
JordanGS
Apr 5, 2016, 2:52:15 PM4/5/16
to OWASP ZAP User Group
Hi guys, I'm a little stumped.
I have a scan setup as an authenticated user but there is a section where i need to upload a file, I have the file on my PC.
web wise, there is a button that you press and it opens a simple browser file chooser. You pick a pdf file.
When you get to the end of the form the file is uploaded to the server.
Any advice or guidance is appreciated. I couldn't find anything on how to proceed with this. Maybe zest?
Thank you for the help!
Simon Bennetts
Apr 6, 2016, 3:05:12 AM4/6/16
to OWASP ZAP User Group
Hiya,
File uploads are typically performed using an HTTP(S) POST using multipart forms.
Try uploading a file while proxying through ZAP - do you see a POST request with the contents of your file?
ZAP will attack multipart form data as part of active scanning.
What are you trying to actually achieve (other that just uploading a file) ?
If you just want to upload your own file you can do that via your application.
You will be able to upload file using ZAP scripting, but that will involve a bit of custom coding.
I can definitely see the benefit of providing more support for file uploading in ZAP, but it would be really useful to know what you're trying to achieve so that we can make sure anything we do meets your requirements :)
Cheers,
Simon
File uploads are typically performed using an HTTP(S) POST using multipart forms.
Try uploading a file while proxying through ZAP - do you see a POST request with the contents of your file?
ZAP will attack multipart form data as part of active scanning.
What are you trying to actually achieve (other that just uploading a file) ?
If you just want to upload your own file you can do that via your application.
You will be able to upload file using ZAP scripting, but that will involve a bit of custom coding.
I can definitely see the benefit of providing more support for file uploading in ZAP, but it would be really useful to know what you're trying to achieve so that we can make sure anything we do meets your requirements :)
Cheers,
Simon
JordanGS
Apr 7, 2016, 1:39:37 PM4/7/16
to OWASP ZAP User Group
Hi Simon,
Sorry for the delayed reply, i was in a car accident. This is the first chance i had. I'm recovering at home right now and i don't have access to ZAP at the moment but the logic is as follows:
- Go to https://website.ca/app/user_simulator
- this redirects to a cas login page with a redirect
- log into cas will redirect back to https://website.ca/app/user_simulator
- The authenticated user is an administrator and the page shows a textfield which asks for a userid and has a button called simulate. The userid in this case is unique a 4 digit number that's associated to a simulated user (fake people)
- The form posts back to itself and now additional information about the fake people is shown such as first name (not editable), last name(not editable), their userid(not editable), 2 option check box which is mandatory to have an option selected, a textfield area which for comments, buttons to open file upload.
- Check the i agree checkbox and press submit. This will submit the form along with the file, comments and true false values for the checkbox option selected.
It is a very simple admin tool to simulate a user for functional testing, it shows the admin what a user would see and allow them to test.
I am okay with steps 1-3 - Not an issue
Questions
- How to tell zap to enter a userid and press simulate the first time but not the second time after the form was submitted and loaded a fake user since it submits back to itself.
- There are really only 3 editable elements on this page that i would like tested for security issues.
- The file in question, want to make sure it's not an exe, over sized or empty, that there isn't a vulnerability that can be abused when uploading a file.
Please see the attached screenshots for a visual representation of the website and workflow.
Thank you for the help.
Cheers, Goran.
JordanGS
Apr 8, 2016, 3:22:04 PM4/8/16
to OWASP ZAP User Group
Yes i do
1) Manually proxy the website.
2) Active Scan
--------------------------------------------
Is that all i do?
Spider doesn't have to be run since it's a single page with a single post back to itself, right?
Also, i have a lot of error logs to go through but it is skipping a lot of the scans in the active scan on intense difficulty using the latest zap weekly release. I'll upload logs if i can't figure out the issue there. Please let me know if 1 and 2 above are the correct procedure in this case.
JordanGS
Apr 8, 2016, 4:09:32 PM4/8/16
to OWASP ZAP User Group
Please see the attached screenshot in addition to my previous reply. ZAP is skipping scans such as sql injection even thought it is not disabled in the technology tree and everything is set to intense, also tried default.
The log does not show any errors at all. Is there a debug mode to enable for more logs information?
Reply all
Reply to author
Forward
0 new messages