--- obj: concept wiki: https://en.wikipedia.org/wiki/File_inclusion_vulnerability rev: 2024-05-02 --- # File Inclusion Vulnerabilities File Inclusion Vulnerabilities are a type of security exploit that occurs when an application allows an attacker to include a file, usually a malicious one, on a server through a script. This vulnerability is commonly found in web applications and can have serious consequences if exploited. ## Types of File Inclusion Vulnerabilities There are two main types of file inclusion vulnerabilities: 1. **Remote File Inclusion (RFI)**: In RFI, an attacker can include remote files hosted on a different server. This allows the attacker to execute malicious code or retrieve sensitive information from the server. 2. **Local File Inclusion (LFI)**: In LFI, an attacker can include files that are already present on the server. These files could be system files, configuration files, or any other file accessible to the web server process. ## Exploitation File inclusion vulnerabilities are typically exploited by manipulating input parameters in a web application that are used to specify the file to be included. Attackers can modify these parameters to include arbitrary files, leading to unauthorized access or execution of malicious code. ### Example of Exploitation Consider a PHP web application that includes files based on a `page` parameter in the [URL](../internet/URL.md): ```php ``` An attacker can exploit this vulnerability by providing a malicious `page` parameter: ``` http://example.com/index.php?page=malicious_script ``` If the application does not properly sanitize input, the attacker's script (`malicious_script.php`) will be included and executed by the server. ## Mitigation To prevent file inclusion vulnerabilities, developers should follow best practices for secure coding: 1. **Input Validation**: Validate and sanitize all user-supplied input to ensure that it conforms to expected formats and does not contain malicious content. 2. **Whitelisting**: Maintain a whitelist of allowed files or directories that can be included. Only include files that are explicitly allowed, and reject all others. 3. **Use Absolute Paths**: Instead of including files based on user-supplied input, use absolute paths or predefined constants to specify file locations. 4. **Limit File Permissions**: Restrict the permissions of files and directories to minimize the impact of a successful exploitation. 5. **Security Headers**: Implement security headers, such as Content Security Policy (CSP), to prevent inclusion of external resources.