JANUARY 9, 2024

FILE PATH TRAVERSAL

FILE INCLUSION VULNERABILITIES
FILE UPLOAD VULNERABILITIES

SAKTHI AYYAPPAN
 FILE PATH TRAVERSAL

• A web security vulnerability that allows attackers to access files and

directories on a server that they shouldn't have access to.

• It happens when a web application improperly validates or sanitizes

user-supplied input that's used to construct file paths.

• Attackers exploit this vulnerability by injecting special characters

(like "..") into file paths to "navigate" up the directory structure and

access sensitive files outside the intended web root.

• This allows an attacker to access files on your web server to which

they should not have access.

• They do this by tricking either the web server or the web application

running on it into returning files that exist outside of the web root

folder.
IMPACTS OF FILE PATH TRAVERSAL:

Exposure of sensitive data(Confidentiality)

Attackers can access and steal source code, leading to:

• Loss of intellectual property

• Identification of further vulnerabilities within the code

• Reverse engineering of proprietary algorithms or business logic

Configuration files:

Access to sensitive configuration files can reveal:

• Database credentials

• API keys
 • Authentication secrets

• Passwords for other services

User data:

Exposure of user data can include:

• Personal information (names, addresses, email addresses, social

security numbers)

• Financial records (credit card numbers, bank account details)

• Health records

• Passwords

System files:

Access to system files can expose:

• System configuration

• User accounts and permissions

Modification of files:

Attackers can modify sensitive files which leads to

 • Website defacement: Altering web pages to display malicious

content or propaganda, damaging reputation and brand trust.

• Injection of malicious code: Injecting malware or backdoors to

maintain persistent access, steal data, or launch further attacks.

• Alteration of system settings: Changing system configurations to

disrupt operations or create security loopholes.

• Disruption of business operations: Tampering with critical files can

cause service outages, delays, and financial losses.

Additionally,

Denial of service (DoS) attacks:

• Attackers can exploit path traversal to Overwhelm servers with

resource-intensive requests, causing crashes or slowdowns.

• Render websites or applications unavailable to legitimate

users, impacting productivity and customer experience.

Compliance violations:

• Non-compliance with data protection regulations: Unauthorized

access to sensitive data due to path traversal can lead to violations

 Several impacts include :

• GDPR (General Data Protection Regulation) in Europe

• CCPA (California Consumer Privacy Act) in the US

FILE INCLUSION VULNERABILITY :

• File Inclusion vulnerabilities often affect web applications

that rely on a scripting run time, and occur when a web

application allows users to submit input into files or upload

files to the server.

• They are often found in poorly- written applications.

 • File Inclusion vulnerabilities allow an attacker to read and

sometimes execute files on the victim server or, as is the

case with Remote File Inclusion, to execute code hosted on

the attacker’s machine.

Understanding the types of file inclusion vulnerabilities :

File inclusion vulnerabilities come in two types ,they are

• LOCAL FILE INCLUSION

• REMOTE FILE INCLUSION

LOCAL FILE INCLUSION :

• Local File Inclusion is an attack technique in which attackers

trick a web application into either running or exposing files

on a web server.

• LFI attacks can expose sensitive information, and in severe

cases, they can lead to cross-site scripting (XSS) and

remote code execution.

• LFI is listed as one of the OWASP Top 10 web application

vulnerabilities.
• File inclusions are a key to any server-side scripting

language, and allow the content of files to be used as part

of web application code.

Here is an example of how LFI can enable attackers to extract

sensitive information from a server.

• If the application uses code like this, which includes the

name of a file in the URL:

https://example-site.com/?module=contact.php

• An attacker can change the URL to look like this:

https://example-site.com/?module=/etc/passwd

• In the absence of proper filtering, the server will display

the sensitive content of the /etc/passwd file.

REMOTE FILE INCLUSION:

• Remote file inclusion (RFI) is an attack

targeting vulnerabilities in web applications that
dynamically reference external scripts.

• The perpetrator’s goal is to exploit the referencing

function in an application to upload malware
(e.g., backdoor shells) from a remote URL located within
a different domain.

• The consequences of a successful RFI attack include

information theft, compromised servers and a
site takeover that allows for content modification
WORKING OF RFI:
DIFFERENCES BETWEEN LFI AND RFI :

Similar to RFI, local file inclusion (LFI) is a vector that involves

uploading malicious files to servers via web browsers.

• The two vectors are often referenced together in the context

of file inclusion attacks.

• In both cases, a successful attack results in malware being

uploaded to the targeted server.

However, unlike RFI, LFI assaults aim to exploit insecure local file

upload functions that fail to validate user-supplied/controlled

input.
 • As a result, malicious character uploads and directory/path

traversal attacks are allowed for.

• Perpetrators can then directly upload malware to a

compromised system, as opposed to retrieving it using a

tempered external referencing function from a remote

location.

IMPACTS OF FILE INCLUSION VULNERABILITY ;

Unauthorized Access to Files:

• LFI: Attackers can access sensitive files on the server, such

as configuration files, password files, and other critical

system files.
 • RFI: Attackers can include and execute files from a remote

server, potentially allowing them to upload malicious scripts

or gain control over the server.

Code Execution:

• LFI: If the application includes user input without proper

validation, attackers may be able to execute arbitrary code

within the context of the web server, leading to remote code

execution.

• RFI: Remote code execution is a significant risk with RFI as

attackers can include and execute malicious code hosted on

a remote server.

Information Disclosure:

• LFI: Attackers can read sensitive information from files,

leading to the exposure of critical data, such as database

credentials, encryption keys, or other confidential

information.
 • RFI: Similar to LFI, RFI can also lead to the disclosure of

sensitive information.

Denial of Service (DoS):

• LFI: If an attacker can manipulate the inclusion process, they

might cause the server to include numerous files, leading to

resource exhaustion and a potential denial of service.

• RFI: By including large or resource-intensive files from

remote servers, an attacker might overwhelm the server and

cause a denial of service.

Malware Injection:

• RFI: Attackers can use RFI to inject malicious code into the

web application, potentially spreading malware to users who

access the compromised pages.

Session Hijacking:

• LFI: If the application stores session data in files on the

server, an attacker might use LFI to access and manipulate

session files, leading to session hijacking.

Web Defacement:

• RFI: Attackers can use RFI to include content from a remote

server, replacing legitimate content with malicious or

defaced content.

FILE UPLOAD VULNERABILITY

• A file upload vulnerability is a security weakness in a web

application that allows attackers to upload malicious files to

the server.

• These vulnerabilities can have serious consequences,

ranging from data breaches and website defacement to

complete server compromise.

key aspects of file upload vulnerabilities:

• The application allows users to upload files like

images, documents, or videos.

• The application fails to properly validate or sanitize the

uploaded files.

• Attackers exploit this weakness by uploading specially

crafted files containing malicious code or commands.

• Once uploaded, the server processes or stores the malicious

files, giving attackers potential access to the system.

Types of vulnerabilities:

• Unrestricted file upload: The application allows uploading

any type of file without restrictions.

• Executable file upload: The application allows uploading files

that can be executed as code on the server, leading to

remote code execution (RCE) vulnerabilities.

 • Path traversal vulnerabilities: Attackers can manipulate file

paths to access unauthorized files on the server.

• Directory traversal vulnerabilities: Attackers can exploit

directory paths to navigate beyond the intended upload

directory and access sensitive data.

IMPACTS OF FILE UPLOAD VULNERABILITY :

• Data breaches: Attackers can access and steal sensitive

information stored on the server, such as user

data, passwords, or financial records.

• Website defacement: Attackers can modify website content

to display malicious content or propaganda.

• Remote code execution (RCE): Attackers can gain complete

control over the server, allowing them to steal data, install

malware, or launch further attacks.

• Denial-of-service (DoS) attacks: Attackers can upload large

or resource-intensive files to crash the server or make it

unavailable to legitimate users.

• Reputational damage: Data breaches and website

defacement can damage the organization's reputation and

erode customer trust.

REFERENCES :

• https://brightsec.com/blog/file-inclusion-vulnerabilities/#what-are-

file-inclusion-vuln

• https://brightsec.com/blog/local-file-inclusion-

lfi/#:~:text=Local%20File%20Inclusion%20is%20an,XSS)%20a

nd%20remote%20code%20execution.