owasp-zap-fileupload-addon
owasp-zap-fileupload-addon copied to clipboard
File Upload Scan rule only handles Multipart requests
Is your feature request related to a problem? Please describe. Currently, the FIleUpload Scan rule handles the multipart requests for finding vulnerabilities in File Upload Functionality, so we need to figure out what other ways are there to upload files and how much of them are used. Also, we need to analyze on how to handle them and then implement that (Can be under this issue or a new issue, we are flexible with that).
Some ideas can be new JS API's for file upload, GRPC introduction, etc.
Describe the solution you'd like There is something like FlexiInjector in Upload Scanner but not sure if that can handle all the ways. There can be other solutions like Fuzzer or Scripts etc which can be used.
Glimpse of the change
In the box we will have some configurations for handling the file upload ways. Code references Options panel UI: https://github.com/SasanLabs/owasp-zap-fileupload-addon/blob/main/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java
Variants supported by ZAP: https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/core/scanner/Variant.java
Testing code changes build the addon by running
- ./gradlew spotlessApply
- ./gradlew build Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> fileupload*.zap and done.