API File transfers - now supported in the weekly release
56 views
Skip to first unread message
Simon Bennetts
Aug 15, 2023, 11:48:39 AM8/15/23
to ZAP User Group
We have had many requests for the ability to upload and download files to and from ZAP via the API.
The latest weekly now provides this option!
However this feature is disabled by default as a security measure.
If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
To enable file transfer you will need to have an API key set and to enable it via the
Options API screen.
You can also enable file transfers via the command line using -config api.filexfer=true
With file transfer enabled you will be able to upload text files to the Transfer Directory using the 'fileUpload' 'other' endpoint and download them from there using the 'fileDownload' 'other' endpoint.
You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory (e.g. using "../../") will be rejected.
The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
The web UI allows you to select and upload local files.
Curl example for uploading a file:
curl \
-F fileContents=@/full/path/to/file/to/be/uploaded \
-F apikey=your-api-key \
-F fileName=destination-filename \
http://localhost:8080/OTHER/core/other/fileUpload/
To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and then import it via the path "${XFER}/plans/myplan.yaml".
If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
To enable file transfer you will need to have an API key set and to enable it via the
Options API screen.
You can also enable file transfers via the command line using -config api.filexfer=true
With file transfer enabled you will be able to upload text files to the Transfer Directory using the 'fileUpload' 'other' endpoint and download them from there using the 'fileDownload' 'other' endpoint.
You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory (e.g. using "../../") will be rejected.
The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
The web UI allows you to select and upload local files.
Curl example for uploading a file:
curl \
-F fileContents=@/full/path/to/file/to/be/uploaded \
-F apikey=your-api-key \
-F fileName=destination-filename \
http://localhost:8080/OTHER/core/other/fileUpload/
To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and then import it via the path "${XFER}/plans/myplan.yaml".
Feedback on this new feature appreciated!
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages