Upload a malicious symlink in a zip file

[ImanSharaf]

I was checking this HackerOne report with a $29000 bounty and I found it very interesting. This is different than Zip Slip. In case of Zip Slip we can inject .. in the file path so we can extract our file in a wrong place. In this report, the attacker crafts a malicious symlink to /etc/passwd when the backend extracts it untar_zxf function only changes the permissions and extract the symlink as is, so the attacker was able to read the passwd file! I believe we need to add this technique to the WSTG!

[ThunderSon]

Hi Iman! Thanks for flagging this for us.

I had a quick look at it, and still need more time around it to review it :)

[ImanSharaf]

Hi @ThunderSon, is there any update?