코더들이 보안을 정복하다: 공유 및 학습 시리즈 - 로컬 파일 포함 및 경로 탐색
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.
In this episode, we will learn:
- How hackers exploit local file inclusion and path traversal vulnerabilities
- Why allowing unrestricted local file inclusion and path traversal can be dangerous
- Policies and techniques that can be employed to find and fix this problem.
How do Attackers Exploit Local File Inclusion and Path Traversal?
The classic TV detective Columbo used to always say, "Just one more thing" right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.
The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It's very much like Columbo in that the hacker really doesn't care about the first part of the argument. It's simply a means for them to add "just one more thing" at the end.
In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.
Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?
Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.
For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker's ingenuity and skill, and whatever files they can access that already exist on the target server.
Removing the Threat Posed by Local File Inclusion and Path Traversal
The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input in "file include" or other commands with similar functions. If an application must allow it, don't directly pass it on. Instead, use an indirect reference map. An indirect reference map takes user input and maps it to a set of hard-coded trusted values which can then be safely used.
As with many other vulnerabilities, pay particular attention to all user-controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. Where this is not possible, use input validation to tightly regulate which values are allowed such as numbers, alphanumeric values etc.
More Information about Local File Inclusion and Path Traversal
For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
목차
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약다운로드시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
