GoogleCodeExporter
commented
9 years ago Looking forward to your fix :)Original comment by psii...@gmail.com on 15 Oct 2014 at 7:59
- Changed state: Accepted
Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Looking forward to your fix :)Original comment by psii...@gmail.com on 15 Oct 2014 at 7:59
GoogleCodeExporter
commented
9 years ago <Cause of this issue>
There is no pattern to detect the directory list in "TestPathTraversal.java".
<Description of fix>
1. added a RegEx to detect the list of root directory in response body.
2. added a pattern "" (empty string) to get the list of root directory.
I've attached to this post the difference before and after the changes.
Left side is before and right side is after.
Please review it.Original comment by konno.takeyuki on 15 Oct 2014 at 9:12
GoogleCodeExporter
commented
9 years ago Can you upload a patch file as that will be easier to review?
In Eclipse you can right click a (set of) file(s) and select Team / Create
Patch...
ThanksOriginal comment by psii...@gmail.com on 15 Oct 2014 at 12:38
GoogleCodeExporter
commented
9 years ago Sorry. I attached a patch file to this post. Original comment by konno.takeyuki on 16 Oct 2014 at 5:15
Attachments:
GoogleCodeExporter
commented
9 years ago Dear all, unfortunately I think the trouble is not related to this plugin. The
"TestpathTraversal.java" is indeed focused on path traversal vulneability check
and not directory browsing check.
This means that the plugin target is to fine the possibility to access to
*single* files using inner application behaviors.
The vulnerability you're talking about is a little different (besides OWASP
point of view is to call it PathTraversal too), and currently ZAP manage it
using the "TestDirectoryBrowsing.java" plugin.
According to your description, the trouble relies in the fact that the current
DirectoryBrowsing plugin isn't related to parameters, but only to URL paths, so
that it arises an alert if the URL itself give back a directory listing.
What we've to do is to manage also the possibility that a directory listing
occurs when a parameter is set to a point to the filesystem (does the
vulnerability you checked work in this way?).
Can you try to understand this or give to us some samples that we can use to
enforce the plugin?
Original comment by yhawke on 17 Oct 2014 at 6:37
GoogleCodeExporter
commented
9 years ago OK I see the internals of the bWapp, and indeed here happens that the parameter
take in care a directory and allow the directory listing of that directory.
It's a very "particular" issue because the application is a file browser which
hasn't any control on the root of the filesystem. In real cases it's very
difficult to find something like this exposed to generic users, but we've to
manage it.
My opinon is that this is more an "Information Disclosure" vulnerability, or a
"directory Browsing", but I see the OWASP definition and the bWapp
implementation and I think that you're in right to integrate it inside the
"TestPathTraversal" plugin.
so I suggest a different approach. The plugin currently work on 2 rounds. I
think that the better solution is to adda a round more which should re-use the
patterns and a specific regex for file browsing, then create a specific bingo()
which should define in clear that this is a "directory path traversal".
What do you think about this?
Regarding the regex I'll review it according to bWapp outputs.
Original comment by yhawke on 17 Oct 2014 at 10:32
GoogleCodeExporter
commented
9 years ago ZAP has been migrated to github
This issue will be on github issues with the same ID:
https://github.com/zaproxy/zaproxy/issues
Original comment by psii...@gmail.com on 5 Jun 2015 at 9:17
Original issue reported on code.google.com by
konno.takeyukion 15 Oct 2014 at 3:01