Product
Features Why Beagle Security? API Security Testing GraphQL Security Testing DevSecOps Compliance Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
Free tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Product tour
Blog Home
RFI
29 Jun 2022

Remote File Inclusion

29 Jun 2022
OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C4 CAPEC-193 CWE-98 HIPAA-164.306(a) ISO27001-A.14.2.5 WASC-05 WSTG-INPV-11

Remote File inclusion (RFI) is an inclusion attack. Here an attacker can cause the web application to include a remote file by exploiting a web application. This vulnerability affects the web application that uses external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

A server is said to be prone to a remote file inclusion vulnerability because it failed to properly verify user-supplied input. An attacker can include arbitrary remote files containing malicious PHP code and execute it in the context of the web server process. Resulting in the attacker to compromise the application and to gain access to the underlying system.

Impact

The impact include:-

  • Cross Site Scripting
  • Remote Code Execution

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Avoiding passing of user-submitted input to any file-system or framework API.
  • Maintaining a white list of files that need to be included by the page, and then use an identifier to access to the selected file.

PRODUCT TOUR



Latest Articles

Email injection attack: Impact, example & prevention
March 24 2023
What are the common REST API security vulnerabilities?
March 8 2023
The 7 Best Veracode Alternatives in the Market Today
February 6 2023
DAST vs SAST: What are the differences and how to combine them
January 26 2023
Internal Penetration Testing: The Definitive Guide [2023]
January 19 2023

Explore morearrow



Popular in Injection

WordPress Authenticated SQL Injection
June 29 2022
SQL injection(SQLi)
May 4 2022
Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect Cookies Attributes IBM SQL injection injection Time Based Blind SQL Injection SSL Injection CRLF Content Security Policy CSRF HSTS CORS Information Leakage status code SRI metadata X-XSS-Protection owasp XSS Clickjacking Cookies Directory traversal DOM XSS Blind SQL Injection SQL Injection XML Injection blog TLS WordPress web security SMB Cyber attacks AI Web server Wordpress Data Security DOMECTF2020 Container security CMS Security Code Execution Content security policy Htaccess Bypass DOMECTF2021 Press Webinar RFI DevSecOps Web Security Cyber Attacks DOMECTF2022 openssl HTTP headers Compliance AppSec

Latest Articles

Explore More
What are the common REST API security vulnerabilities?
AppSec
What are the common REST API security vulnerabilities?
08 Mar 2023
The 7 Best Veracode Alternatives in the Market Today
AppSec
The 7 Best Veracode Alternatives in the Market Today
06 Feb 2023
DAST vs SAST: What are the differences and how to combine them
web security
DAST vs SAST: What are the differences and how to combine them
26 Jan 2023
Internal Penetration Testing: The Definitive Guide [2023]
Internal Penetration Testing: The Definitive Guide [2023]
19 Jan 2023
The Role of Bug Tracking in Ensuring Your Web Application's Security
web security
The Role of Bug Tracking in Ensuring Your Web Application's Security
11 Jan 2023
What is continuous penetration testing? Benefits & implementation
web security
What is continuous penetration testing? Benefits & implementation
04 Jan 2023
Personal Data Protection bill explained with seven expert opinions
Compliance
Personal Data Protection bill explained with seven expert opinions
28 Dec 2022
Crucial Components for a Web Application Security Assessment
Web Security
Crucial Components for a Web Application Security Assessment
19 Dec 2022
Access Control Request Headers
HTTP headers
Access Control Request Headers
11 Dec 2022
XML Injection
XML Injection
XML Injection
06 Dec 2022
Top Black Friday and Cyber Monday SaaS Deals [2022]
Top Black Friday and Cyber Monday SaaS Deals [2022]
21 Nov 2022
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
openssl
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
02 Nov 2022
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
Press
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
29 Sep 2022
DomeCTF 2022
DOMECTF2022
DomeCTF 2022
26 Sep 2022
How CISCO got Attacked by Yanluowang Ransomware Gang
Cyber Attacks
How CISCO got Attacked by Yanluowang Ransomware Gang
18 Aug 2022
Zero-Day Vulnerabilities in Web Applications
Web Security
Zero-Day Vulnerabilities in Web Applications
18 Jul 2022
How DevSecOps is a Key Enabler for Digital Transformation
DevSecOps
How DevSecOps is a Key Enabler for Digital Transformation
10 Jul 2022
OWASP top ten 2017
owasp
OWASP top ten 2017
04 Jul 2022
External redirection
External redirection
02 Jul 2022
WordPress Plugin Reflected Cross Site Scripting
XSS
WordPress Plugin Reflected Cross Site Scripting
29 Jun 2022
WordPress Authenticated SQL Injection
SQL Injection
WordPress Authenticated SQL Injection
29 Jun 2022
Session Fixation Attack
Session Fixation Attack
29 Jun 2022
Remote File Inclusion
RFI
Remote File Inclusion
29 Jun 2022
Old Backup and Unreferenced files
Old Backup and Unreferenced files
29 Jun 2022
Beagle Security named a Leader in G2 Summer 2022 Reports
Press
Beagle Security named a Leader in G2 Summer 2022 Reports
28 Jun 2022
WordPress arbitrary file upload and download
WordPress arbitrary file upload and download
26 Jun 2022
Explore More