search

SasanLabs / owasp-zap-fileupload-addon

OWASP ZAP add-on for finding vulnerabilities in File Upload functionality.
Apache License 2.0
22 stars 6 forks source link

File Upload Addon #1

Closed preetkaran20 closed 3 years ago

preetkaran20 commented 3 years ago

This is the first version of Owasp ZAP File upload addon where we tried to handle upload following variants:

  1. Html (Its variants like htm/xhtml etc)
  2. SVG (for XSS)
  3. Jsp (its variants like jspx, images containing jspx code)
  4. Eicar file(for verifying antivirus is executed against the uploaded file.)

Following things which will be released next are:

  1. Php (its variants like php1, php5 etc)
  2. Asp (and its variants)
  3. Bitmap based Xss (Need to validate once with @thc202 @kingthorin @psiinon)
  4. Apache htaccess file upload
  5. Path Traversal

Currently we are firing a lot of requests in this addon and future goal is to give user a way to choose the "module" (Under options panel), example of module is "Php/Jsp/Asp/Html" etc and only those attacks will be executed.

This addon is highly inspired from the https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa.

preetkaran20 commented 3 years ago

This is the first version of FileUpload addon, @kingthorin @thc202 @psiinon It is very close to completion for version 1 where we are targetting Html, Svg, Jsp, Jspx and gif/jpeg with jsp code fileuploads. Please have a look at it.

thanks, Karan

preetkaran20 commented 3 years ago

This is the first version of FileUpload addon, @kingthorin @thc202 @psiinon It is very close to completion for version 1 where we are targetting Html, Svg, Jsp, Jspx and gif/jpeg with jsp code fileuploads. Please have a look at it.

thanks, Karan

Please review.

kingthorin commented 3 years ago

Those were all cosmetic changes. The build failed because it couldn’t find the snapshot (that’s how it looks to me anyway), I think maven expires them sometimes.

Edit: or maybe the build was never working? https://github.com/SasanLabs/owasp-zap-fileupload-addon/actions

preetkaran20 commented 3 years ago

Those were all cosmetic changes. The build failed because it couldn’t find the snapshot (that’s how it looks to me anyway), I think maven expires them sometimes.

Edit: or maybe the build was never working? https://github.com/SasanLabs/owasp-zap-fileupload-addon/actions

it was never working because zap 2.11 is not released and it depends on 2.11 version because of variant PR: https://github.com/zaproxy/zaproxy/pull/6371

preetkaran20 commented 3 years ago

Those were all cosmetic changes. The build failed because it couldn’t find the snapshot (that’s how it looks to me anyway), I think maven expires them sometimes. Edit: or maybe the build was never working? https://github.com/SasanLabs/owasp-zap-fileupload-addon/actions

it was never working because zap 2.11 is not released and it depends on 2.11 version because of variant PR: zaproxy/zaproxy#6371

@kingthorin @thc202

do we have any utility method for converting HttpMessage to String ?

kingthorin commented 3 years ago

msg.getResponseBody().toString()

preetkaran20 commented 3 years ago

msg.getResponseBody().toString()

thanks @kingthorin. I was actually looking for both response header and response body. Yeah Separately toString() exits.

kingthorin commented 3 years ago

Oh sorry, I don't think so.

preetkaran20 commented 3 years ago

Oh sorry, I don't think so.

oh ok. Thanks.

preetkaran20 commented 3 years ago

Hi @kingthorin @thc202,

Please review the PR.

thanks, Karan

preetkaran20 commented 3 years ago

This addon depends on ZAP 2.11.0

@kingthorin @thc202 please review.

thanks, Karan

preetkaran20 commented 3 years ago

Hi @kingthorin @thc202,

Please review the PR.

thanks, Karan

preetkaran20 commented 3 years ago

This is quite a lot to review. I'll be honest: I've only skimmed for things that look bad or off.

thanks a lot for the review.

thc202 commented 3 years ago

The SNAPSHOT should be available now.

preetkaran20 commented 3 years ago

The SNAPSHOT should be available now.

Is there a different repository URL for snapshot? Build is failing because it is not able to resolve it.

preetkaran20 commented 3 years ago

Hi @thc202 @kingthorin

please review.

thanks, Karan

preetkaran20 commented 3 years ago

Hi @thc202,

I have incorporated review comments. Please review.

thanks, Karan

thc202 commented 3 years ago

Is there a different repository URL for snapshot? Build is failing because it is not able to resolve it.

repositories {
    maven {
        url = uri("https://oss.sonatype.org/content/repositories/snapshots/")
    }
}
preetkaran20 commented 3 years ago

Hi @thc202 @kingthorin,

Please review the PR so that we can go ahead and merge the PR.

thanks, Karan

thc202 commented 3 years ago

I don't have any other comments. Thank you!

preetkaran20 commented 3 years ago

I don't have any other comments. Thank you!

@thc202 Thanks a lot.

preetkaran20 commented 3 years ago

Hi @kingthorin @thc202 ,

Thanks a lot for the review. When are we releasing ZAP 2.11.0 ? Can we release this addon before that, may be just for dev version?

thanks, Karan

thc202 commented 3 years ago

I don't think there's a date for 2.11.0. Yes, it can be released to dev already.

preetkaran20 commented 3 years ago

I don't think there's a date for 2.11.0. Yes, it can be released to dev already.

ok, I have released the addon at: https://github.com/SasanLabs/owasp-zap-fileupload-addon/releases/tag/1.0.0

thanks, Karan

thc202 commented 3 years ago

Sorry missed those.

Edit: I don't think those are a blocker to release to marketplace though.

thc202 commented 3 years ago

For the record the add-on is now available in the (dev) marketplace.