Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.