I am testing a web application which handles uploading of files via AJAX requests. I have AppScan configured to test posting a test file. When AppScan tries to submit various requests to find vulnerabilities, I see that the requests are posting extra bytes for the test file (Content-Length header indicates additional bytes than what is expected).
When I review the requests, I see that AppScan reports the difference to be just a change on one of the original parameters, yet the actual file data being posted in the request is different.
If I run the original request (which includes the same original parameters with the correct values), the file is posted correctly.
What is causing AppScan to post the additional bytes as part of the file being uploaded?
I was expecting that AppScan would try different parameters but the actual file data posted would be the same. However, that is not what I am seeing. Is this the expected behavior?