APPLICATION SECURITY

Knowledge Base

Search Our Knowledge Base

AppSec Knowledgebase Categories >

Understanding File Inclusion Vulnerabilities

The file inclusion vulnerability may be present whenever a web application allows users to provide input used as code by the target application. Therefore, this vulnerability is most commonly found in web applications that use scripting run time.
 
Keep reading to learn more about the file inclusion vulnerability, its different types, and how to prevent it.

What is a File Inclusion Vulnerability

PHP file inclusion is a web application security issue that permits unauthorized users to access files, perform downloads, search for information, etc. As described by OWASP, it allows an attacker to include a file by attacking the target application’s “dynamic file inclusion” techniques. The flaw arises from the usage of user-supplied data that hasn’t been appropriately validated.

File inclusion flaws are a golden opportunity for hackers. While various protective procedures are in place to address such flaws, a single positive operation may compromise your mission-critical data and put your organization at risk.
 

What is a Local File Inclusion Vulnerability

Local File Inclusion (LFI) is a web browser option that enables an attacker to include files on a server. When a web application contains a file before correctly filtering the input, this vulnerability occurs, allowing an attacker to modify the input, insert jump characters from the route, and provide other files from the webserver. It typically affects PHP applications.

Find and Fix Local File Inclusion Vulnerabilities in a Few Clicks with Veracode DAST Essentials.

Start Your 14-day Free Trial

What is the Risk of Local File Inclusion Vulnerabilities

LFI is harmful, particularly when combined with additional issues, such as the ability of an attacker to submit malicious files to the server. Even if the attacker cannot upload files, they can take control of the entire server or access sensitive information by combining the LFI weakness with a directory traversal flaw. The consequences could include information disclosure or remote code execution as well.

How to Prevent Local File Inclusion Vulnerabilities

Proper input validation and sanitization play a part in this, but it is a misconception that this is enough. Ideally, you would best implement the following measures to prevent file inclusion attacks best.

  • Sanitize user-supplied inputs, including GET/POST and URL parameters, cookie values, and HTTP header values. Apply validation on the server side, not on the client side.
  • Assign IDs to every file path and save them in a secure database to prevent users from viewing or altering the path.
  • Whitelist verified and secured files and file types, checked file paths against this list, and ignored everything else. Don’t rely on blacklist validation, as attackers can evade it.
  • Use a database for files that can be compromised instead of storing them on the server.
  • Restrict execution permissions for upload directories as well as upload file sizes.
  • Improve server instructions such as sending download headers automatically instead of executing files in a specified directory.
  • Avoid directory traversal by limiting the API to allow file inclusions only from a specific directory.
  • Run dynamic application security tests to determine if your code is vulnerable to file inclusion exploits.
     

How Does a Local File Inclusion Vulnerability Scanner Work 

The local file inclusion scanner, included in Veracode DAST Essentials, uses unique payloads to include local or remote files into the web application. If a website has a file inclusion vulnerability, an attacker can read sensitive files like PHP scripts or can even execute arbitrary commands on the webserver.

Although local file inclusion vulnerabilities usually are easy to address, discovering them in huge codebases may be difficult without the correct tools. Veracode DAST Essentials, a black-box penetration testing tool, will let you discover every vulnerability your web application could have. The scanner works with no information about your system, precisely as a hacker would. Still, in this case, you have the opportunity to save money and time on running security manual tests. 

You can see if you’re vulnerable to local file inclusion vulnerabilities with only a few clicks. Veracode DAST Essentials quickly scans your web applications and provide a report detailing any bugs discovered. 

With Veracode, you can also reduce costs for fixing vulnerabilities. Instead of writing a security patch for code written six months ago, you can get notified about a vulnerability before the deployment: no more hot-fixing production environments. Start scanning for location file inclusion vulnerabilities today with a free, 14-day trial of Veracode DAST Essentials (no credit card required). 
 

DevSecOps Playbook: Practical Steps to Producing Secure Software

Get the eBook