This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Local File Inclusion"
From OWASP
(Page created) |
(Brief summary (wiki) added) |
||
| Line 3: | Line 3: | ||
== Brief Summary == | == Brief Summary == | ||
| − | + | File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to: | |
| + | |||
| + | *Code execution on the web server | ||
| + | *Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS) | ||
| + | *Denial of Service (DoS) | ||
| + | *Sensitive Information Disclosure | ||
| + | |||
== Description of the Issue == | == Description of the Issue == | ||
Revision as of 18:21, 14 September 2013
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
- Code execution on the web server
- Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
- Denial of Service (DoS)
- Sensitive Information Disclosure
Description of the Issue
Why is it so bad
Black Box testing and example
Black box
Gray Box testing and example
Gray box
References
- Wikipedia - http://www.wikipedia.org
