--- title: Zipslip exploit suspected description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Zipslip exploit suspected --- # Zipslip exploit suspected Tactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1190-exploit-public-facing-application](https://attack.mitre.org/techniques/T1190) ### Goal{% #goal %} Detect Zip Slip exploitation attempts on web services that process archive files. Such security activity generally indicates that an attacker is trying to exploit a path traversal vulnerability through crafted archive entries to overwrite arbitrary files on the server. Zip Slip is a vulnerability that occurs when an application extracts files from an archive (zip, tar, etc.) without properly validating the file paths within it. A malicious archive can contain entries with relative paths (e.g., `../../etc/passwd`) that escape the intended extraction directory, allowing an attacker to overwrite critical files or inject executable code. ### Strategy{% #strategy %} Monitor for two exploitation patterns: 1. **Uploaded archive extraction** (`@appsec.rule_id:dog-920-11*`): Detects requests where an uploaded file with an archive extension is opened and file writes target relative paths or code file extensions, indicating a direct Zip Slip attack. 1. **Local archive extraction** (`@appsec.rule_id:dog-920-12*`): Detects requests where a local archive file is read (`@appsec.events.zipslip.local_file_read:*`) and file writes target relative paths or code file extensions, indicating exploitation via a previously staged archive. Generate an Application Security Signal with `Medium` severity. ### Triage and response{% #triage-and-response %} 1. Consider blocking the attacking IP(s) temporarily to prevent them from reaching deeper parts of your production systems. 1. Investigate which files were written and whether any critical files or executable code were overwritten. 1. Review the archive extraction logic in your application to ensure file paths are validated and canonicalized before writing to disk. 1. Check if the affected service allows user-uploaded archives, and if so, implement strict validation of archive entry paths.