A file inclusion vulnerability enables an attacker to execute malicious files on the web server or gain access to sensitive or unauthorized data that are stored there. In this blog we will list down the possible attacks and try to give solutions against them.
Remote file inclusion
In RFI, an attacker includes and executes a remotely hosted file using a script in the attack page. RFI attacks allow hackers to steal data and run malicious code by manipulating a web server or site.When web applications accept user input such as parameter values, URLs, and so on and pass it to "file include" mechanisms without proper sanitization, attackers can manipulate the web application to include remote files containing malicious scripts.
Local file inclusion
LFI vulnerabilities allow an attacker to read files on the target machine.The attacker can access more sensitive information, read important files, run arbitrary commands by exploiting the vulnerable inclusion techniques in the application. LFI occurs when the input is not properly sanitized and validated or when an input to an application is the path to a file. If the input is treated valid by the application, a local file can be used in the include statement.
Defense Against Above Attacks
- All the user-inputs including request parameters, cookies, http headers, etc. must be sanitized properly.
- Save your file paths in the database using ID for each file, so that users can only get to see the ID without viewing or altering the path.
- Download headers must be automatically sent instead of executing files in a specified directory.
- The files that can be compromised should not be stored on the server, use a database instead.
- Execution permissions should be restricted for upload directories as well as upload file sizes.
- Run tests frequently to determine if your code is vulnerable to file inclusion exploits.
In this blog, we saw the possible file inclusion attacks in an application. Also, we listed out possible defense mechanisms. If you want help in eliminating this vulnerability, you can get in touch with True Sparrow, that’s us.