Coders Conquer Security: Share & Learn Series - Remote File Inclusion
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
