This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - Remote File Inclusion

Revision as of 21:13, 22 July 2013 by James Landis (talk | contribs)

Jump to: navigation, search

Return to Periodic Table Working View

Remote File Inclusion

Root Cause Summary

The application loads data from an attacker-controlled resource at runtime, enabling a variety of malicious activities. Either the source address or the resource itself (or both) may be under the attacker's control.

Browser / Standards Solution

Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access.

The standard should provide support for the following content types:

  • 3rd-party images
  • Active content such as Flash, Applets, ActiveX or other OBJECT content
  • IFRAMEd content
  • 3rd-party SCRIPT

The standard should allow for the content to be safely rendered in both of the following scenarios:

  1. The content is loaded by the browser after the containing page is fully constructed by the web server.
  2. The content is embedded in the containing page by the web server before it is served to the browser.

Perimeter Solution


Generic Framework Solution

Provide a configurable white list of 3rd-party domains which are allowed to serve inline content, and block file inclusion from all other domains.

Provide a proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

This issue is closely related to Weak Authentication Methods, which allows malicious third parties to trick users into giving away login credentials. The standards solution is also closely related to Cross-Site Scripting.


Top 10 2007-Malicious File Execution
PHP File Inclusion
Remote File Inclusion (WASC)
PHP Remote File Include (CWE)
Content Security Policy
Google Caja