Security Hub

Bring your software development workflows to security

icon-lfi

Local File Inclusion

Signals & Triggers

On file system access
If user input matched in file access command

Actions

  • prevent command execution Prevent command execution
  • block incoming http request Block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace

Details

Sqreen prevents attackers from accessing the server’s file system to perform Local File Inclusion attacks.

Let’s say we have the following payload:

{
    "image": "myImage.jpg"
}

This results in the following call: open('imgs/user1/myImage.jpg'). It would allow a user to legitimally access an image through the web server.

A malicious attacker would try to abuse this by crafting a payload:

{
    "image": "../user2/hiImage.jpg"
}

This would result in the following call: open('imgs/user1/../user2/hisImage.jpg'), giving access to someone’s else images to the attacker.

The same approach can be used to execute arbitrary code if the LFI happens in a module inclusion (include in PHP, require in NodeJS, etc).

Advanced details

When an HTTP request triggers a file access, this plugin triggers on the following conditions:

  • the path starts at the root filesystem (/ on UNIX systems) and if the whole path is injected by the user
  • the user input traverse back to the root filesystem of the server (the attacker was able to inject a ../ in the path)

Language support

  • Python
  • Node.js
  • PHP
  • Java

Data collected by Sqreen

No data collected


On attack
  • Request payload
  • Stack trace
  • Attacker IP
  • Attacker account (Sqreen SDK)

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Sign up Request demo