코더즈 컨커 보안: 공유 및 학습 시리즈 - 원격 파일 포함
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
아래 링크를 클릭하고 이 리소스의 PDF를 다운로드하십시오.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
보고서 보기데모 예약
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Those of you reading this blog series might notice a lot of similarities between the remote file inclusion vulnerability and the local file inclusion and path traversal vulnerability discussed previously. Their root causes are similar, as are the recommended fixes.
In many ways, the remote file inclusion vulnerability is much more dangerous, and also easier to exploit, than its local file counterpart. As such, it should be found and remedied as soon as possible. Or better yet, web applications should be designed in such a way as to prevent it from occurring in the first place.
In this episode, we will learn:
- How hackers exploit the remote file inclusion vulnerability
- Why allowing remote file inclusion is dangerous
- Techniques that can fix this problem.
How do Attackers Exploit Remote File Inclusion?
The remote file inclusion vulnerability takes advantage of the "dynamic file include" command or mechanism that exists in most programming frameworks. The ability is intended to allow developers to use files located on a secondary server to execute activities on the application server. Obviously, this can be dangerous in the wrong hands.
How attackers exploit this ability is by finding any website or application that allows uncontrolled user input, which can come from things like HTTP headers or input areas in interactive forms. They use that as a launching point to generate file include commands.
For example, if a site uses the GET function to load pages, such as page = request.getParameter("page'); include page; then an attacker could send in a query using the page command, but with a URL of a site they control and file path to the file they want to execute. The query then gets passed to the server and the remote file is executed on the host. The activity is allowed because it is now part of the trusted app.
Why is the Remote File Inclusion Vulnerability Dangerous?
The level of danger posed by remote file inclusion is extremely high. Unlike with local file inclusion vulnerabilities, where files an attacker runs must exist on a host, and also be found by the attacker using trial and error, there are no restrictions like that with remote file inclusion. Obviously, an attacker knows the location of the files they want to exploit since they likely exist on their own machines, or sites they control. The files can also be hand chosen by them, and don't need to exist on the target machine prior to the exploit. The file might even consist of scripts specifically written to exploit a remote host.
In short, once an attacker is able to find and exploit a remote file inclusion vulnerability, there is nothing to stop them from gaining total control over an application or even an entire site. Certainly, no data stored there will be safe from their incursion.
Removing Remote File Inclusion Vulnerability
Never allow user input to pass directly to a file inclusion command for execution. Instead, use an indirect reference map of commands and only execute commands from there. An indirect reference map maps untrusted user input to a set of hardcoded trusted values on the server. Be sure to whitelist any areas where users can input data, and don't forget to include HTTP headers, form parameters and even cookies in that list. Doing that will close any window that an attacker looking to create a file include command can use.
As a bonus, proper sanitization and validation of user-generated content and employing reference maps to execute commands will not only squash the remote file inclusion vulnerability, but quite a few others as well, including this bug's dangerous cousin, the local file inclusion and path traversal exploit.
More Information about Remote File Inclusion
For further reading, you can take a look at the OWASP reference guide for remote file inclusion exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
목차
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior는 전체 소프트웨어 개발 라이프사이클에서 코드를 보호하고 사이버 보안을 최우선으로 생각하는 문화를 조성할 수 있도록 조직을 위해 여기 있습니다.AppSec 관리자, 개발자, CISO 또는 보안 관련 누구든 관계없이 조직이 안전하지 않은 코드와 관련된 위험을 줄일 수 있도록 도와드릴 수 있습니다.
데모 예약다운로드시작하는 데 도움이 되는 리소스
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
