Monday, January 4, 2016

What is a File Inclusion Attack ?



In File Inclusion Attack, an attacker tricks a web server to execute certain scripts and include a sensitive file from the server or malicious file remotely to the server with the purpose of performing even more attacks.

File Inclusion Vulnerability occurs mainly because of poor coding in the web applications. If a user supplied input is used without proper validation, that leads to this type of vulnerability.





Purpose of File Inclusion Attack


The purpose of this type of attacks may include :

  • Obtaining contents of sensitive files from a web server
  • Execution of malicious code in the web server to perpetrate even more attacks
  • Performing Denial of Service or DoS attacks
  • Stealing sensitive data from the web server


How is File Inclusion Attack perpetrated

There are mainly two types of File Inclusion Attacks :

  • Local File Inclusion Attack
  • Remote File Inclusion Attack


Local File Inclusion Attack

In Local File Inclusion Attack, the attacker tricks the web server to include a local sensitive file and reveal its contents to the attacker.

Let's consider the following piece of code :


<?php
if ( isset( $GET['EYES'] ) ) {
include( $_GET['EYES'] . '.php' );
}
?>


<form method="get">
        <select name="EYES">
                <option value="black">Black</option>
                <option value="blue">Blue</option>
        </select>
         <input type="submit">
</form>


Here, if the attacker executes /eyes.php?EYES=/etc/passwd that will allow the attacker to read the content of file /etc/passwd from the web server. This may lead to theft of sensitive data or even more attacks later. This is a typical example of Local File Inclusion Attack.



Remote File Inclusion Attack

In Remote File Inclusion Attack or RFI Attack, the attacker tricks the web server to include a remote malicious file to the server and then performs more attacks.


If we consider the same piece of code that is shown above, the attacker may execute the following to perform a Remote File Inclusion or RFI Attack.



Countermeasures for File Inclusion Attacks

We can follow some coding practices which may reduce the incidences of File Inclusion Attacks to a large extent.

  • When a passed-in path is included, make sure it does not contain unintended character patterns.
  • Instead of dynamically generating the path from the URL or form parameter, you can use a predefined switch/case statement to determine which file should be included.



So, follow some simple rules and safeguard your web applications from File Inclusion Attacks.

No comments:

Post a Comment