Zip File Overwrite
Zip File Overwrite: Understanding and Mitigating the Zip Slip Vulnerability
Manage Zip File Overwrite RisksTable of Contents
What is zip file overwrite?
Zip file overwrite (also known as Zip Slip) exploits a vulnerability that is found in several widely used programming languages. It is especially prevalent in Java where there is no central library that provides a high-level process for archive files. Taking advantage of this flaw, attackers can create Zip archives that use path traversal to overwrite critical files on affected systems, either destroying them or replacing them with malicious code for remote command execution. These can be invoked remotely or the attacker can wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
Since it was publicly disclosed on June 5, 2018 by the Synk Security Team, Zip Slip has been found in many language ecosystems (Ruby, .NET, Go, and JavaScript). As an arbitrary file overwrite vulnerability, Zip Slip can be triggered with a directory traversal attack while extracting files from an archive and affects many archive formats, including tar, jar, war, cpio, apk, rar, and 7z.
Contrast is the clear customers’ choice
Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.
Built for Developers. Trusted by Security.
Learn Secure Code
CROSS SITE SCRIPTING (XSS)
Learn about Cross site scripting (XSS) and how it affects your Java source code
SQL INJECTION
Learn about SWL injection and how it affects your Java source code
CLIENT SIDE INJECTION
Learn about client-side injection and how it can affect your source code