FILE INCLUSION

File inclusion is a security flaw that occurs in web applications when an attacker can manipulate the way files are included or loaded within the application. this vulnerability arise when user input is used to determine the path or file that the application includes, without proper validation or sanitization.

MITIGATION

  • Sanitize User Input: Always sanitize and validate user input before using it in file inclusion operations.

  • Use Whitelists: Instead of allowing arbitrary file paths, use predefined whitelists of acceptable files or paths.

  • Disable allow_url_include: In PHP, ensure that allow_url_include is disabled in the php.ini configuration file.

  • Use Absolute Paths: Avoid using relative paths based on user input, and instead rely on predefined, fixed paths.

  • Limit File Permissions: Restrict file access permissions to only necessary files and directories.

PREVENTION

HARDENING

  • utilize a Web Application Firewall (WAF), such as ModSecurity

    • ModSecurity minimizes false positives by offering a permissive mode, which will only report things it would have blocked. This lets defenders tune the rules to make sure no legitimate request is blocked. just having the WAF in permissive mode can be an early warning sign that an application is being attacked

FILE INCLUSION

  • Avoid passing any user-controlled inputs into any file inclusion functions or APIs

  • Utilize a limited whitelist of allowed user inputs, and match each input to the file to be loaded, while having a default value for all other inputs

  • globally disable the inclusion of remote files in web server configurations.

    • In PHP this can be done by setting allow_url_fopen and allow_url_include to Off

  • lock web applications to their web root directory to prevent attackers from accessing non-web related files

    • In PHP that can be done by adding open_basedir = /var/www in the php.ini file

    • also, ensure that certain potentially dangerous modules are disabled, like PHP Expect mod_userdir

DIRECTORY TRAVERSAL

  • use a function that reads the path, but only return the filename portion

  • sanitize user input to recursively remove any attempts of traversing directories

#PHP script that sanitizes user input
while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};

 * this code recursively removes ../ sub-strings
PreviousINSECURE FUNCTION CALLSNextLFI

Last updated