We have had many requests for the ability to upload and download files to and from ZAP via the API.
However this feature is disabled by default as a security measure.
If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
To enable file transfer you will need to have an API key set and to enable it via the
Options API screen.
You can also enable file transfers via the command line using
-config api.filexfer=trueWith file transfer enabled you will be able to upload text files to the Transfer Directory using the 'fileUpload' 'other' endpoint and download them from there using the 'fileDownload' 'other' endpoint.
You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory (e.g. using "../../") will be rejected.
The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
The web UI allows you to select and upload local files.
Curl example for uploading a file:
curl \
-F fileContents=@/full/path/to/file/to/be/uploaded \
-F apikey=your-api-key \
-F fileName=destination-filename \
http://localhost:8080/OTHER/core/other/fileUpload/To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and then import it via the path "${XFER}/plans/myplan.yaml".