Access Control: Path Traversal via File Upload¶
Identifier:
file_upload_path_traversal
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Path traversal via file upload (CWE-22) occurs when an application uses an attacker-controlled filename to write a file on disk without canonicalisation. Variants include classic ../ sequences, null-byte tricks, Windows backslash escape, UNC paths, and Unicode RTLO confusion.
How we test: For each detected upload endpoint we replay the recorded request with traversal payloads in the filename slot. Every payload uses a per-scan canary suffix (escape_canary_<uuid>) so the resolved path can never collide with a real customer file. We test relative traversal (../escape_canary_<uuid>.txt), null-byte extension (NUL-delimited filename ending in escape_canary_<uuid>.txt), Windows backslash variants (.. followed by a backslash and escape_canary_<uuid>.txt), UNC OOB-only paths, and RTLO Unicode filenames. Confirmation is read-back only: we GET the canary path and assert the server returns our exact canary content. We never write to system paths like /etc/, ~/.ssh/, cron directories, or any real-looking filename.
Every probe emits a context.info event with the raw multipart request and the retrieval response as attachments.
References:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control/
- https://cwe.mitre.org/data/definitions/22.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.