Definition
Local file inclusion is a security vulnerability that enables attackers to access or execute files stored on the web server. It can allow hackers to access systems, view confidential information, and execute malicious code.
The Open Source Foundation for Application Security (OWASP) considers LFI a dangerous threat and features it among the top 10 web application vulnerabilities.
How Local File Inclusion Works
Local file inclusion happens when an application fails to adequately validate or sanitize user input that determines which file to include. The attacker injects malicious input, often as a file path or directory traversal sequence, to manipulate the application into including sensitive files or executing harmful code.
Local File Inclusion Techniques
- Null byte injection: By adding a null byte (“%00”) to the input, the attacker can evade security mechanisms by including files with restricted extensions or characters.
- Relative path traversal: The attacker appends the “../” sequence to the input, allowing them to navigate directories and access files beyond the web application’s intended purpose.
- Encoding: The attacker can bypass input validation mechanisms using a URL or other encoding forms.
Stopping Local File Inclusion Attacks
- Create an allowlist of permitted file paths and reject any requests that attempt to access paths outside the list.
- Authenticate and clean user input to prevent attackers from using directory traversal methods to access unauthorized files.
- Use built-in file inclusion functions from web application frameworks to avoid the risks of constructing file paths manually.
- Apply the principle of least privilege to web applications, restricting access to only the files and directories essential for their operation, thereby minimizing the impact of a local file inclusion attack.