Zip Slip in APIs

Zip Slip is a directory traversal vulnerability that occurs when an application extracts files from archives (ZIP, TAR, etc.) without properly validating the file paths. This allows attackers to write files outside the intended extraction directory by using path traversal sequences like ../ or absolute paths.

The vulnerability gets its name from the classic zip slip attack pattern where a malicious ZIP archive contains files with paths like ../../etc/passwd. When the server extracts the archive, these traversal sequences cause files to be written outside the target directory, potentially overwriting critical system files or placing executable code in sensitive locations.

The core issue is improper path validation during archive extraction. Many archive libraries automatically create parent directories when extracting files, which means a path like ../../malicious.sh will traverse up two directory levels before writing the file. This behavior, combined with insufficient input validation, creates a perfect storm for exploitation.

APIs that accept file uploads and process archives are particularly vulnerable to Zip Slip attacks. Common scenarios include:

• File upload endpoints that extract ZIP archives for user convenience
• Document processing APIs that handle compressed content
• Backup restoration endpoints that extract archive files
• Code execution APIs that process archive submissions

An attacker can exploit Zip Slip through several attack vectors:

Code Execution: By placing a malicious script (like ../../app/startup.sh) in the archive, an attacker can overwrite critical startup scripts or configuration files. If the application automatically executes extracted files or if the overwritten script runs on system startup, this leads to remote code execution.

Configuration Overwrite: Attackers can replace configuration files (like ../../config/database.yml) to manipulate application behavior, redirect database connections, or disable security controls.

Denial of Service: Overwriting critical system files can crash the application or make it inoperable, causing service disruption.

Data Exfiltration: By writing files to web-accessible directories, attackers can plant web shells or other tools for ongoing access.

Detecting Zip Slip requires both static analysis of code and dynamic testing of API endpoints. Here's what to look for:

Code Analysis: Search for archive extraction functions combined with path operations. Vulnerable patterns include:

const AdmZip = require('adm-zip');
const zip = new AdmZip(zipFile);
zip.extractAllTo(/* no validation */);

Dynamic Testing: Test your file upload endpoints by uploading specially crafted archives containing files with traversal sequences. Look for successful extraction of files outside the intended directory.

middleBrick Detection: middleBrick's black-box scanning approach tests for Zip Slip vulnerabilities by submitting malicious archives to file upload endpoints. The scanner creates ZIP files with carefully crafted path traversal sequences and monitors whether files are written outside the intended extraction directory. This active testing approach catches vulnerabilities that static analysis might miss, especially in complex API workflows.

The scanner also checks for related issues like improper file type validation and insufficient access controls on extracted files, providing a comprehensive assessment of archive handling security.

Preventing Zip Slip requires a defense-in-depth approach with multiple validation layers:

Path Validation: Always validate and sanitize file paths before extraction. Use canonical path resolution to ensure files stay within the intended directory:

const path = require('path');
const safeExtract = (zipFile, targetDir) => {
  const zip = new AdmZip(zipFile);
  const entries = zip.getEntries();
  
  for (const entry of entries) {
    const entryName = entry.entryName;
    const targetPath = path.join(targetDir, entryName);
    
    // Ensure the resolved path starts with the target directory
    if (!resolvedPath.startsWith(path.resolve(targetDir))) {
      throw new Error('Path traversal attempt detected');
    }
    
    // Extract the file
    entry.extractTo(resolvePath);
  }
};

Allowlist File Types: Only allow specific file types and extensions. Reject archives containing executable files or scripts unless explicitly needed.

Extract to Temporary Directories: Extract archives to temporary, isolated directories with strict permissions. Scan extracted content before moving it to permanent locations.

Content Validation: Implement virus scanning and content inspection on extracted files. Verify file integrity and expected content types.

Access Controls: Ensure extracted files have appropriate permissions and are not executable unless necessary. Store user-uploaded content in directories with minimal privileges.

Zip Slip vulnerabilities have been documented in numerous high-profile applications and libraries. The vulnerability was first widely publicized in 2018 when security researchers discovered it affected hundreds of archive processing libraries across multiple programming languages.

CVE-2018-1000533: The Node.js adm-zip library was found vulnerable to Zip Slip, affecting thousands of applications that used this popular ZIP processing library. The vulnerability allowed attackers to write files anywhere on the filesystem when processing malicious ZIP archives.

Apache Commons Compress: Multiple versions of this widely-used Java library were affected, impacting enterprise applications and services that relied on Java for archive processing.

Real-world exploitation: Attackers have used Zip Slip in combination with other vulnerabilities to achieve remote code execution. For example, a Zip Slip vulnerability in a file upload feature could be combined with a deserialization flaw to create a powerful attack chain.

The financial and reputational impact of Zip Slip can be severe. A successful exploitation can lead to complete system compromise, data theft, service disruption, and regulatory violations. Organizations have faced significant costs in incident response, customer notification, and security remediation following Zip Slip-related breaches.

middleBrick's scanning helps organizations identify these vulnerabilities before attackers can exploit them, providing actionable findings that map to OWASP API Top 10 risks and compliance requirements like PCI-DSS and SOC2.