Secure Code Warrior - Local file inclusion
Download as PPTX, PDF0 likes298 views
Local file inclusion (LFI) and path traversal are vulnerabilities that allow unauthorized access to server files through manipulated user input. These vulnerabilities can lead to sensitive data exposure, remote code execution, and significant security risks. Prevention measures include using indirect reference maps and white-list validation to restrict input paths.
Secure Code Warrior - Local file inclusion
- 1. Local File Inclusion & Path Traversal OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. What is it? “Local File Traversal (LFI)” is a vulnerability that allows files hosted on the server to be included and potentially also executed. Using “path traversal”, files located outside of the current folder can be accessed. What causes it? This vulnerability exploits the "dynamic file include" mechanism that exists in programming frameworks. A local file inclusion happens when uncontrolled user input (forms, headers, …) is used as parameter to "file include“ commands. Path traversal is possible because characters like ‘../’ (or encoded versions) are not being checked against. What could happen? Depending on system access restrictions various sensitive files could be read or executed. Password files, database configuration files or the database content itself could be stolen. Remote code could get executed. How to prevent it? Never directly pass user input to “file include” commands: use an indirect reference map instead. Alternatively, apply white-list validation against all user controllable input, e.g. reject ‘../’ and encoded variants.
- 3. Local File Inclusion / Path traversal Understanding the security vulnerability A vulnerable site uses the ‘page’ parameter which it includes to dynamically build the content of the site. An attacker uses the ’page’ parameter to craft a URL to try to access sensitive files in other directories. Eventually he finds the correct path. User account information is returned to the output. Using path traversal and trial and error, he submits manipulated requests to the application server. Application Server http://site.com/?page=home http://site.com/?page=../../../../../../etc/passwd page = request.getParameter(‘page’); echo include(page); … root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash … /etc/passwd http://site.com/?page=../../../../../etc/passwd http://site.com/?page=../../../../etc/passwd
- 4. Local File Inclusion / Path traversal Realizing the impact Next to reading files, advanced attacks can also result in the execution of arbitrary malicious code under specific circumstances. A compromised server could lead to availability loss and cause reputational and financial damages. Customer data could get exposed, leading to privacy issues, reputational and financial damages.
- 5. Local File Inclusion / Path traversal Preventing the mistake Use indirect object reference maps. Apply white-list input validation. Form parameters, cookies, HTTP headers. Pay special attention to ‘../’ and encoded variants. /index?page=about.html /index?page=1 Static ID targetPage 1 about.html 2 home.html Indirect object reference map