Code Evaluation via Local File Inclusion

  • CAPEC 252
  • PCI 3.2-6.5.8
  • WASC 33
  • OWASP 2013-A4

File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure
Remediation

As the main cause is improper input validation, suggestions mainly revolve around sanitizing the input received.

  1. Accept only characters and numbers for file names (A-Z 0-9). Blacklist all the special characters which are not of any use in a filename.
  2. Limit the API to allow inclusion of files only from one allowed directory so that directory traversal can also be avoided.
References