0

Path Traversal Risk in OWASP ZAP

asked 2018-05-28 17:37:38 +0800

tzewengng gravatar image tzewengng
1

Hello,

Recently we have executed OWASP ZAP testing on our ZK application. It raises Path Traversal risk as part of the result.

The url tested is ends with

/zkau/web/f3ceb7b/js/zk.wpd;jsessionid=105gmato0ysjigpzl2npbpq37?query=c%3A%2F

May i know how we can prevent this from ZK configuration, instead of controlling the access from the server that execute it.

thanks.

delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-05-29 10:52:41 +0800

cor3000 gravatar image cor3000
6280 2 7

sounds like a false positive reported by OWASP ZAP other people report the same zaproxy issue #3735 in combination with JS files.

The issue #3735 seems closed and fixed in version 30, did you try their latest version? Does the problem persist after upgrading?

I tested the given URL myself and all that's returned is the actual JS content of zk.wpd, and no directory structure. (ZK needs this JS content in order to work at all).

What content is returned if you open this URL directly in the browser?

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
3 followers

RSS

Stats

Asked: 2018-05-28 17:37:38 +0800

Seen: 8 times

Last updated: May 29 '18

Related questions

[Announcement] ZK 8.5.1 is now available!

Highlight new release changes/new features in demo app

Image loading URL....

How can I make a button change its image by clicking on the same button?

Problems calling function 'sec:isAnyGranted' with zkspring 3.2 and Spring Security 4

change image of the button

webapp folder of ZK spring boot?

Can I set in runtime a new value to library property: org.zkoss.zk.ui.processMask.enabled:

Package ZK Eclipse Tomcat Project For Deployment

AImage org.zkoss.zk.ui.UiException: java.io.FileNotFoundException

About Us | Faq | Help | Privacy Policy | Contact Us
Copyright Potix Corporation 2015.
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More