0

Path Traversal Risk in OWASP ZAP

asked 2018-05-28 17:37:38 +0800

tzewengng gravatar image tzewengng
1

Hello,

Recently we have executed OWASP ZAP testing on our ZK application. It raises Path Traversal risk as part of the result.

The url tested is ends with

/zkau/web/f3ceb7b/js/zk.wpd;jsessionid=105gmato0ysjigpzl2npbpq37?query=c%3A%2F

May i know how we can prevent this from ZK configuration, instead of controlling the access from the server that execute it.

thanks.

delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-29 10:52:41 +0800

cor3000 gravatar image cor3000
4158 1 7
ZK Team

sounds like a false positive reported by OWASP ZAP other people report the same zaproxy issue #3735 in combination with JS files.

The issue #3735 seems closed and fixed in version 30, did you try their latest version? Does the problem persist after upgrading?

I tested the given URL myself and all that's returned is the actual JS content of zk.wpd, and no directory structure. (ZK needs this JS content in order to work at all).

What content is returned if you open this URL directly in the browser?

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
3 followers

RSS

Stats

Asked: 2018-05-28 17:37:38 +0800

Seen: 7 times

Last updated: May 29

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More