1. Support Center
  2. Injection Attacks

What is File Inclusion

A file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. This article describes how you can efficiently prevent file inclusions.

Security Assessment

Security_Assessment_FileInclusion

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N /MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

What is the File Inclusion? 

A local/remote file inclusion allows the attacker to include arbitrary files into the web application, resulting in the exposure of sensitive files. Sometimes, the attacker can execute malicious code on the web server and take over the machine entirely.

Types of file inclusion

Exploiting a file inclusion vulnerability is possible when an application allows user input to act as a command (also known as dynamic file inclusion). When this happens, an attacker may direct the application to build a path toward a file that contains malicious code and execute the file. Alternatively, it may allow attackers to access files on the server and steal sensitive data contained in them. 

Programming languages under which file inclusion vulnerabilities frequently occur are PHP, JavaServer Pages (JSP), and Server Side Includes (SSI).

This vulnerability is part of the more general injection vulnerability in the OWASP Top 10 vulnerability list. An attack that uses this vulnerability can potentially lead to cross-site scripting (XSS)directory traversal, and remote code execution.

A file inclusion exploit arises from using the “include” statement or a similar filesystem functionality, such as the “require” statement. Developers typically utilize this functionality for several reasons.

  • When specifying files to be parsed by the interpreter: to open a particular file containing code, its path must be specified so it will be parsed and interpreted.
  • When printing to a page: to save time and avoid recoding, developers will sometimes reuse certain portions of code, such as headers. In addition, it allows them to specify a file from which contents should be copied and used in the file that contains the include statement.
  • When including files that users will download: to make files available for download, instead of being opened in the web browser, a specific header is included in the request.

In any of the above cases, if user input is not handled correctly, it can open the door for attackers to include malicious code or gain access to sensitive data.

Attackers exploit two significant file types inclusion vulnerabilities: local file inclusion (LFI) and remote file inclusion (RFI). Here’s how they work.

Validating User Input

<?php

if(isset($_GET['page']) and $_GET['page'] == 'home') {
include('home.php');
}
elseif(isset($_GET['page']) and $_GET['page'] == 'news') {
include('news.php');
}
// some other pages

?>

The best way to avoid this vulnerability is to hardcode all files you need to include, as the example above suggests. If you need the inclusion of dynamic files, you could only allow required characters like a-zA-Z and disallow anything else like ./\. Maybe an even better solution is to maintain a whitelist of files that are allowed to be included. Any other file that the user requests can be rejected.

Note: If you try to implement your filters and pass the filtered user input directly to the various included functions, ensure that your filters can not be bypassed by using methods like string encoding.

How to prevent LFI and RFI?

You can approach mitigating LFI and preventing RFI exploits in many ways. Proper input validation and sanitization play a part in this, but it is a misconception that this is enough. Ideally, you would best implement the following measures to prevent file inclusion attacks best.

  • Sanitize user-supplied inputs, including GET/POST and URL parameters, cookie values, and HTTP header values. Apply validation on the server side, not on the client side.
  • Assign IDs to every file path and save them in a secure database to prevent users from viewing or altering the path.
  • Whitelist verified and secured files and file types, checked file paths against this list, and ignored everything else. Don’t rely on blacklist validation, as attackers can evade it.
  • Use a database for files that can be compromised instead of storing them on the server. 
  • Restrict execution permissions for upload directories as well as upload file sizes.
  • Improve server instructions such as sending download headers automatically instead of executing files in a specified directory.
  • Avoid directory traversal by limiting the API to allow file inclusions only from a specific directory.
  • Run tests to determine if your code is vulnerable to file inclusion exploits.