Log4j/Log4Shell

Log4j Vulnerability Response Center. Get Informed Now

DevOps and Security Glossary Terms

File inclusion

File inclusion

Businesses rely on their web applications. They’re the essential building blocks that provide organizations with the tools they need to execute their tasks, automate tedious processes, manage and store data, and so much more. Keeping your web applications and sensitive data safe is imperative to the longevity of any thriving company.

One of the most common types of attacks against webservers stems from file inclusion vulnerabilities. File inclusion vulnerabilities can be primarily found on web applications that utilize a scripting runtime. These vulnerabilities give attackers access to sensitive files on their web server or allow them to utilize include functionality to carry out malicious files on their servers.

With access to unauthorized files, attackers can attain sensitive information or further compromise the victim’s networks. Most file inclusion vulnerabilities are, like a lot of file-related vulnerabilities, due to weak validation processes that give access to user input without legitimate validation.

Below we’ll take a deep dive into file inclusion vulnerabilities and how you can take steps to prevent and mitigate file inclusion attacks.

File inclusion attack types

There are two file inclusion vulnerability types that you should be aware of in preparing for an attack: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

The main difference between the two has to do with where a compromised file is originally located. LFI vulnerabilities are exploited through a file stored on the target server, while RFIs use a file from a third-party source.

  • Local File Inclusion involves
    • When website or web application inputs aren’t properly sanitized, local files on a server become vulnerable to attacks. User inputs that contain paths to files and are incorrectly validated, attackers can gain access to those files and retrieve sensitive files in other directories.

The following INFOSEC example illustrates how a local file inclusion attack can occur:

http://victim_site/abc.php?file=userinput.txt

<p dir="ltr"><?php

include $_REQUEST[‘file’];

?> </p>

Attackers can insert a pernicious input to retrieve sensitive files within the current directory or traverse other directories to further compromise your system.

  • Remote File Inclusion
    • Though similar, RFI vulnerabilities will utilize an external source, as opposed to accessing files within the local server, to execute an attack. Attackers will make use of the “dynamic file include” command to insert harmful external files or scripts. Without proper sanitization of files, attackers can take advantage of web applications to insert external files with harmful scripts.

Here’s an example of how an RFI vulnerability might occur: www.victim_site.com/abc.php?testfile=example

The vulnerable PHP code: $test = $_REQUEST[“testfile”]; Include($test.”.php”); The “testfile” parameter in this example is supplied by the user, and the code takes the “testfile” and inserts it into the PHP file.

In both cases, the vulnerabilities are a direct result of poor input validations, which means one of the only ways to prevent file inclusion vulnerabilities is to maintain your sanitation practices.

File inclusion vulnerability mitigation

Below are a few mitigation and remediation best practices that will help to ensure your inputs are safe from vulnerabilities.

  • User input sanitation has to be implemented to mitigate file inclusion attacks. It’s also important, however, to remember that it’s practically impossible to sanitize all user inputs and that sanitation is just one aspect of a holistic security effort.

  • Two ways to ensure proper sanitation are 1) to accept file names with numbers 0-9 and letter A-Z, and 2) only allow files from one directory so you can avoid directory traversals.

  • Create a whitelist when enabling remote file inclusion and ensure you’re only intaking files from that whitelist.

  • Implement a scanning software to help you identify file inclusions swiftly so you can limit the harm it has on your server

  • Take on a security solution that provides automated notifications and alerts

While file inclusion vulnerabilities are common and should be taken seriously, you can prevent attacks and minimize damage by taking a proactive security and sanitation approach.

How Sumo Logic can help

Sumo Logic’s cloud-native, continuous intelligence platform will help you prevent and mitigate file inclusion threats by reducing downtime with real-time alerting, dashboards, and machine-learning-powered analytics.

Ensure your systems, networks, and servers have the 24/7 protection and monitoring they need with Sumo Logic today.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.