Coders Conquer Security: Share & Learn Series - Local File Inclusion and Path Traversal
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
