Evaluate your SIEM
Get the guideComplete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
One of the most common types of attacks against web servers stems from file inclusion vulnerabilities. File inclusion vulnerabilities can be primarily found on web applications that utilize a scripting runtime. These vulnerabilities give attackers access to sensitive files on their web servers or allow them to utilize include functionality to carry out malicious files on their servers. With access to unauthorized files, attackers can attain sensitive information or further compromise the victim’s networks.
There are two file inclusion vulnerability types that you should be aware of in preparing for an attack: local file inclusion (LFI) and remote file inclusion (RFI).
The main difference between the two has to do with where a compromised file is originally located. LFI vulnerabilities are exploited through a file stored on the target server, while RFIs use a file from a third-party source.
When website or web application inputs aren’t properly sanitized, local files on a server become vulnerable to attacks. User inputs that contain paths to files and are incorrectly validated, attackers can gain access to those files and retrieve sensitive files in other directories.
The following INFOSEC example illustrates how a local file inclusion attack can occur:
http://victim_site/abc.php?file=userinput.txt
<p dir="ltr"><?php
…
include $_REQUEST[‘file’];
…
?> </p>
Attackers can insert a pernicious input to retrieve sensitive files within the current directory or traverse other directories to further compromise your system.
Though similar, RFI vulnerabilities will utilize an external source, as opposed to accessing files within the local server, to execute an attack. Attackers will make use of the “dynamic file include” command to insert harmful external files or scripts. Without proper sanitization of files, attackers can take advantage of web applications to insert external files with harmful scripts.
Here’s an example of how an RFI vulnerability might occur: www.victim_site.com/abc.php?testfile=example
The vulnerable PHP code: $test = $_REQUEST[“testfile”]; Include($test.”.php”); The “testfile” parameter in this example is supplied by the user, and the code takes the “testfile” and inserts it into the PHP file.
In both cases, the vulnerabilities are a direct result of poor input validations, which means one of the only ways to prevent file inclusion vulnerabilities is to maintain your sanitation practices.
Below are a few mitigation and remediation best practices that will help to ensure your inputs are safe from vulnerabilities.
User input sanitation has to be implemented to mitigate file inclusion attacks. It’s also important, however, to remember that it’s practically impossible to sanitize all user inputs and that sanitation is just one aspect of a holistic security effort.
Two ways to ensure proper sanitation are 1) to accept file names with numbers 0-9 and letters A-Z, and 2) only allow files from one directory so you can avoid directory traversals.
Create a whitelist when enabling remote file inclusion and ensure that you’re only intaking files from that whitelist.
Implement a scanning software to help you identify file inclusions swiftly so you can limit the harm it has on your server
Take on a security solution that provides automated notifications and alerts
While file inclusion vulnerabilities are common and should be taken seriously, you can prevent attacks and minimize damage by taking a proactive security and sanitation approach.
Sumo Logic’s cloud-native, continuous intelligence platform will help you prevent and mitigate file inclusion threats by reducing downtime with real-time alerting, dashboards, and machine-learning-powered analytics.
Ensure your systems, networks, and servers have the 24/7 protection and monitoring they need with Sumo Logic today.
Reduce downtime and move from reactive to proactive monitoring.