Back in 2011, a group of hackers who called themselves LulzSec discovered a weakness in Fox.com. This resulted in the data leakage of the profiles and names of 73,000 X Factor US contestants.
In 2012, sensitive server information of “The National Weather Service” in weather.gov was exposed to the public.
In 2016, Adult Friend Finder, a dating website, suffered a massive data breach, where more than 300 million accounts were exposed and made available to online criminals.
The reason behind all of these attacks were the weaknesses in the code written for the applications. It paved the way for the file inclusion vulnerability causing a massive data leakage.
File inclusion vulnerabilities are often considered more elementary compared to high-profile cyber-attacks, and are therefore often overlooked and underestimated. But, if conducted successfully, it might allow attackers to carry out information disclosure or even a complete system compromise.
As defined by OWASP, the file inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanism implemented in the target application.
File Inclusion vulnerabilities often affect web applications that are poorly written and occur when a web application allows users to submit input into files or upload files to the server.
The vulnerability occurs owing to the use of user-supplied input without proper validation. These vulnerabilities are most commonly found in web applications running PHP scripts, but also frequently occur in JSP, ASP and others.
File inclusion vulnerabilities can be categorized into two, depending on the origin of the included file:
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
Local File inclusion vulnerabilities allow an attacker to read files on the victim machine.
The attacker can read important files, access more sensitive information, or run arbitrary commands by exploiting the vulnerable inclusion procedures implemented in the application.
A hacker can take advantage of this vulnerability to include malicious files which are then executed by the vulnerable web application. This may then lead to a complete compromise of the system.
In Local File Inclusion, attackers exploit vulnerable codes, especially the include functionality to access confidential data or run malicious scripts on the target server.
On successful exploitation, this can expose sensitive data in the system or allow attackers to launch remote code execution or injection attacks.
LFI occurs when an application includes a file as user input without properly validating it. This allows an attacker to include malicious files by manipulating the input.
Here’s an example of a vulnerable PHP code that could lead to LFI:
$file = $_GET[‘file’];
In the absence of proper input sanitization, an attacker could easily modify the input to manipulate the application into accessing unauthorized files and directories from the target server using the
“../” directive and is referred to as directory traversal.
For example, the value to the parameter page in the URL
http://example.com/?page=filename.php can be modified as
In the absence of proper filtering, the server will display the sensitive content of the
/etc/passwd file and the attacker will be finally able to gain host-related information.
The parameters that can be given are not limited to
/etc/passwd. There are a lot more:
/var/log/dmessage , etc., are some of the interesting locations.
OWASP defines Remote File Inclusion as the process of including remote files by exploiting vulnerable inclusion procedures implemented in the application.
RFI attacks enable hackers to steal data and execute malicious code through the manipulation of a web server or site.
Like LFI, this vulnerability also occurs due to improper user input validation, allowing the external URL to be injected. In RFI, the attacker aims to exploit the referencing function in an application in order to upload a malicious script from a remote URL located in a different (attacker’s) domain.
While RFI and LFI vulnerabilities are similar, in an RFI attack, the attacker can execute malicious code from an external source instead of accessing a file on the local web server. This is done by taking advantage of the “dynamic file include” command in web applications to upload malicious external files or scripts.
When web applications allow user input, such as URL, parameter value, etc, and pass them to the “file include” mechanisms without proper sanitization, attackers can manipulate the web application to include remote files with malicious scripts.
$incfile = $_REQUEST["file"];
The first line extracts the file parameter value from the HTTP request while the second line of code sets the file name dynamically.
This code can be exploited, in the absence of proper input sanitization, resulting in unauthorized file uploads and thereby code execution and system compromise.
For example, the attacker could upload a malicious.php file on the server and then attempt to locate it by passing the URL path to the vulnerable website.
The malicious.php file is located and gets executed whenever the “vulnerable_page.php” page is accessed or executed.
The impact of file inclusion vulnerabilities may vary. These may include:
Remote code execution
Denial of Service
System compromise, etc
To eliminate or minimize the risk of file inclusion vulnerabilities, it is recommended to follow the below steps:
Proper input validation and sanitization
Regularly scan applications for potential vulnerabilities.
Blacklist approach: identifying and blocking publicly known attackers and malicious URLs, as well as those that have already tried to infiltrate your site or server.
Whitelist approach: Creating a source of valid and acceptable file types and text
Enable code reviewing for identifying vulnerabilities in the code
On successful exploitation, file inclusion vulnerabilities are more harmful and even capable of making the whole organization’s security at risk. So it would be always better to put forward the best strategies to keep your application and business secure.