File Upload Scan rule only handles Multipart requests #12
Labels
Comments
preetkaran20
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, the FIleUpload Scan rule handles the multipart requests for finding vulnerabilities in File Upload Functionality, so we need to figure out what other ways are there to upload files and how much of them are used. Also, we need to analyze on how to handle them and then implement that (Can be under this issue or a new issue, we are flexible with that).
Some ideas can be new JS API's for file upload, GRPC introduction, etc.
Describe the solution you'd like
There is something like FlexiInjector in Upload Scanner but not sure if that can handle all the ways.
There can be other solutions like Fuzzer or Scripts etc which can be used.
Glimpse of the change
In the box we will have some configurations for handling the file upload ways.
Code references
Options panel UI: https://github.com/SasanLabs/owasp-zap-fileupload-addon/blob/main/src/main/java/org/sasanlabs/fileupload/ui/FileUploadOptionsPanel.java
Variants supported by ZAP:
https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/core/scanner/Variant.java
Testing code changes
build the addon by running
Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> fileupload*.zap and done.
The text was updated successfully, but these errors were encountered: