File Inclusion

References:

• https://viettelidc.com.vn/tin-tuc/tim-hieu-ve-tan-cong-khai-thac-lo-hong-file-inclusion
• File Inclusion — TryHackMe Walkthrough | by WiktorDerda | Medium

Là lỗ hổng cho phép hacker truy cập các tập tin trái phép ở trên server mặc dù không biết đường dẫn cụ thể hoặc thực thi những tập tin có chứa mã độc được lưu trữ từ xa. Loại tấn công đầu tiên được gọi là local file inclusion (LFI), loại thứ hai được gọi là remote file inclusion (RFI).

Table of Contents

• Path Traversal
• Local File Inclusion
• Remote File Inclusion
• File Inclusion Challenges

Remediation

As a developer, it’s important to be aware of web application vulnerabilities, how to find them, and prevention methods. To prevent the file inclusion vulnerabilities, some common suggestions include:

1. Keep system and services, including web application frameworks, updated with the latest version.
2. Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
3. A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
4. Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn’t need them, such as allow_url_fopen on and allow_url_include.
5. Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
6. Never trust user input, and make sure to implement proper input validation against file inclusion.
7. Implement whitelisting for file names and locations as well as blacklisting.