search

SasanLabs / owasp-zap-fileupload-addon

OWASP ZAP add-on for finding vulnerabilities in File Upload functionality.
Apache License 2.0
22 stars 6 forks source link

Add Attack Vector for ASP based applications #4

Open preetkaran20 opened 3 years ago

preetkaran20 commented 3 years ago

Is your feature request related to a problem? Please describe. Currently, the add-on supports the JSP, Html based Scan Rules, PHP so now we need to add the ASP-based scan rule. This Feature/Enhancement is for that.

Definition of Done Definition of Done for this scan rule is

  1. Adding various scan rules for ASP, ASP in images, etc.
  2. Adding a VulnerableApplication which supports the https://github.com/SasanLabs/VulnerableApp-facade so that we can do TDD type of implementation where Vulnerable applications are written first and then Scan rules are written over them.

Code reference Attack vector registration: https://github.com/SasanLabs/owasp-zap-fileupload-addon/blob/main/src/main/java/org/sasanlabs/fileupload/attacks/FileUploadAttackExecutor.java#L47

Other Attack vectors for references: https://github.com/SasanLabs/owasp-zap-fileupload-addon/tree/main/src/main/java/org/sasanlabs/fileupload/attacks/rce/php

Sample Vulnerable Applications for other attack vectors: https://github.com/SasanLabs/VulnerableApp-php

Testing code changes build the addon by running

  1. ./gradlew spotlessApply
  2. ./gradlew build Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> fileupload*.zap and done.