Local File Inclusion

OWASP 2013-A4 OWASP 2017-A5 PCI v3.2- CAPEC-252 CWE-22 HIPAA-22 ISO27001-A.14.1.2 WASC-33 WSTG-INPV-11

Local File inclusion (LFI) refers to an inclusion attack. An attacker can trick the online application in including files on the online server. The attacker does this by exploiting functionality that dynamically includes native files or scripts. The consequence of a successful LFI attack. It includes Directory Traversal and information revealing also as Remote Code Execution.

This server allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. This is due to the use of user-supplied input without proper validation.

Example

        /**
        * Get the filename from a GET input
        * Example - https://www.example.beaglesecurity.com/?file=filename.php
        */
        
        $file = $_GET['file'];
        
        /**
        * Unsafely include the file
        * Example - filename.php
        */
        include('directory/' . $file);

    

Impact

  • Intrution attack

    Mitigation / Precaution

  • Avoid passing user-submitted input to any file system/framework API
  • Maintain a white list of files, that include page, and use an identifier to access to the selected file.Invalid identifier has to be rejected

Latest Articles