This project contains the File Upload scan rule which is used to find the vulnerabilities in File Upload functionality.
File upload is becoming a more and more essential part of any application, where the user is able to upload their photo, their CV, or a video showcasing a project they are working on. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe. Generally file upload functionality is quite complex to automate and has huge attack surface hence there is a need to automate the process and also secure it.
File upload functionality generally has 2 endpoints, one from where file is uploaded and one from where file is retrieved. It is necessary to know both these endpoints. While Active Scanning an application, file upload endpoint is already known but retrieval endpoint is not known to the scan rule hence there are configuration details specific to the retrieval endpoint.
Under ZAP's Options dialog you will find a File Upload section as shown below:
For finding the URL to retrieve/view the uploaded file, here are some options:
Static Location Configuration
where static URL is added into URI Regex
field. URI Regex
field also supports the dynamic file name by ${fileName}
.
parameter, for e.g. http://<baseurl>/${fileName}
Parse Http Response Configuration
which has 2 parameters Start Identifier
and End Identifier
. These identifiers are used to locate the URL within the response.Dynamic Location Configuration
which has a URI Regex
and Parse Http Response Configuration
which has Start Identifier
, and End Identifier
. So the File Upload add-on will invoke the URI mentioned in URI Regex
and then parse the response using Start Identifier
and End Identifier
. URI Regex
field also supports the dynamic file name by ${fileName}
For detailed information on FileUpload add-on's configuration see following video: OWASP ZAP FileUpload addon
This addon fires a lot of requests to the target application hence can impact the performance of the targeted application. So please run this addon in non-prod environment only.
Contributing guidelines are same as ZAP.
For enhancing/developing or debugging the Addon: video tutorial
For any Queries/Bugs or Enhancement please raise an issue in this repository or ask in OWASP ZAP Developer Group. For any other kind of issues please send an email to karan.sasan@owasp.org
This addon is highly inspired from Upload-Scanner and uses many concepts from Upload-Scanner extension.