0

I was testing a web application with ZAP and it reports a path traversal vulnerability. I understand it how it works (at least, I think so), so I reviewed the code, tested the URLs, but I could not find where to fix the vulnerability. I only know from ZAP that the problem is only in the URL /service/book and the parameter category. It's interesting that the rest of the app does not have the same problem.

Maybe, if I know how ZAP found it, it will help me to understand where the problem is and fix the app. Do you know how can I check what ZAP did to detect the vulnerability?

Community
  • 1
  • 1
JonDoe297
  • 1,601
  • 1
  • 15
  • 21

1 Answers1

0

Heres the source code for that test: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/ascanrules/TestPathTraversal.java

Does that help?

Simon (ZAP Project Lead)

Simon Bennetts
  • 5,479
  • 1
  • 14
  • 26
  • The link expired, do you have an updated link? Thanks. – Cal Oct 16 '20 at 17:20
  • Yeah, more info about all ZAP alerts can now be found using their alert ID. The Path Traversal ID is 6 so its at https://www.zaproxy.org/docs/alerts/6/ - that links to the source near the end of the page. – Simon Bennetts Oct 20 '20 at 08:26