1. Local File Inclusion
& Path Traversal
OWASP Web App Top 10
by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
2. What is it?
“Local File Traversal (LFI)” is a
vulnerability that allows files hosted
on the server to be included and
potentially also executed. Using
“path traversal”, files located outside
of the current folder can be
accessed.
What causes it?
This vulnerability exploits the "dynamic file
include" mechanism that exists in
programming frameworks. A local file
inclusion happens when uncontrolled user
input (forms, headers, …) is used as
parameter to "file include“ commands. Path
traversal is possible because characters like
‘../’ (or encoded versions) are not being
checked against.
What could happen?
Depending on system access
restrictions various sensitive
files could be read or
executed. Password files,
database configuration files
or the database content itself
could be stolen. Remote code
could get executed.
How to prevent it?
Never directly pass user input to “file include”
commands: use an indirect reference map
instead. Alternatively, apply white-list
validation against all user controllable input,
e.g. reject ‘../’ and encoded variants.
3. Local File Inclusion / Path traversal
Understanding the security vulnerability
A vulnerable site uses the
‘page’ parameter which it
includes to dynamically
build the content of the site.
An attacker uses the ’page’
parameter to craft a URL to
try to access sensitive files
in other directories.
Eventually he finds the
correct path. User
account information is
returned to the output.
Using path traversal and
trial and error, he submits
manipulated requests to
the application server.
Application Server
http://site.com/?page=home
http://site.com/?page=../../../../../../etc/passwd
page = request.getParameter(‘page’);
echo include(page);
…
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
…
/etc/passwd
http://site.com/?page=../../../../../etc/passwd
http://site.com/?page=../../../../etc/passwd
4. Local File Inclusion / Path traversal
Realizing the impact
Next to reading files, advanced attacks can also
result in the execution of arbitrary malicious code
under specific circumstances.
A compromised server could lead to availability loss
and cause reputational and financial damages.
Customer data could get exposed, leading to
privacy issues, reputational and financial damages.
5. Local File Inclusion / Path traversal
Preventing the mistake
Use indirect object reference maps.
Apply white-list input validation.
Form parameters, cookies, HTTP headers.
Pay special attention to ‘../’ and encoded variants.
/index?page=about.html
/index?page=1
Static ID targetPage
1 about.html
2 home.html
Indirect object
reference map