Code Evaluation via Local File Inclusion
- CAPEC 252
- PCI 3.2-6.5.8
- WASC 33
- OWASP 2013-A4
File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
- Code execution on the web server
- Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
- Denial of Service (DoS)
- Sensitive Information Disclosure
Remediation
As the main cause is improper input validation, suggestions mainly revolve around sanitizing the input received.
- Accept only characters and numbers for file names (A-Z 0-9). Blacklist all the special characters which are not of any use in a filename.
- Limit the API to allow inclusion of files only from one allowed directory so that directory traversal can also be avoided.