The smartest and easiest way to improve your software security. Secure your code, from the start.

Coders Conquer Security: Share & Learn Series - Local File Inclusion and Path Traversal

5th July 2019

Unlike many vulnerabilities, exploiting local file inclusion and path traversal processes for nefarious purposes requires a sufficiently skilled attacker, a fair amount of time, and perhaps a bit of luck. That is not to say that this vulnerability can be ignored. Skilled attackers can use it to turn internal files against an organization, map out a directory structure or even steal password and user information that can be used for dangerous secondary attacks.

In this episode, we will learn:

  • How hackers exploit local file inclusion and path traversal vulnerabilities
  • Why allowing unrestricted local file inclusion and path traversal can be dangerous
  • Policies and techniques that can be employed to find and fix this problem

How do Attackers Exploit Local File Inclusion and Path Traversal?

The classic TV detective Columbo used to always say, “Just one more thing” right before delivering a valuable piece of information that would crack open the case at hand. It seemed inconsequential at the time, and was almost always ignored by the suspect, but always proved to be their undoing. The local file inclusion and path traversal vulnerabilities are a lot like that.

The local file inclusion and path traversal vulnerabilities use the dynamic file include mechanism that exists in most programming frameworks such as ASP, JSP and PHP scripts. For local file inclusion, an attacker slips the name of a file that exists on the local server into an area in a web application such as a header or form input area. The application processes the main input as normal, but also the include(page) or similar command. In path traversal, the attacker defines the path to a suspected file, normally using the dot, dot and slash (../) characters as variables. It’s very much like Columbo in that the hacker really doesn’t care about the first part of the argument. It’s simply a means for them to add “just one more thing” at the end.

In either case, the attacker must normally perform a significant amount of trial and error. Unless they are very familiar with how the site is structured, guessing path configurations and file names could take a long time. That said, most sites follow specific patterns, and have more or less similar directories and file names. So it might not take a long as you think. And given that the payout is potentially very lucrative, there is a lot of incentive for hackers to try and exploit local file inclusion and path traversal vulnerabilities once found.

Why are Local File Inclusion and Path Traversal Vulnerabilities Dangerous?

Local file inclusion and path traversal vulnerabilities are dangerous because they can allow attackers to gain access to sensitive or critical files. For data files, the danger is that the hacker could obtain something valuable such as user passwords or other personal information. A primary target is often password or user configuration files since that would provide access to the rest of the site. Databases are also prime targets. Local file inclusion and path traversal vulnerabilities could allow an attacker to steal the entire contents of a database in a worst case scenario.

For executable files, the danger is that getting access to them might allow an attacker to perform malicious activities such as destroying part of a site or even mounting some type of internal denial of service attack by squandering system resources. But the full scope of the danger is only limited by the attacker’s ingenuity and skill, and whatever files they can access that already exist on the target server.

Removing the Threat Posed by Local File Inclusion and Path Traversal

The danger posed by local file inclusion and path traversal vulnerabilities can be eliminated with good cybersecurity practices. The most important thing to remember is never allowing user input to contain “file include” or other commands with similar functions. If an application must allow it, don’t directly pass it on. Instead, use an indirect reference map.

As with many other vulnerabilities, pay particular attention to all user controlled input areas such as cookies, HTTP headers and form parameters. Allowable input should be whitelisted, with everything else explicitly denied. And, one of the best things you can do to stop local file inclusion and path traversal exploits is to blacklist any input that contains dot, dot and slash (../) characters as they are almost always needed to trigger this kind of vulnerability.

More Information about Local File Inclusion and Path Traversal

For further reading, you can take a look at the OWASP testing guide for local file inclusion and path traversal exploits. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues’ gallery of other threats, visit the Secure Code Warrior blog.

Ready to sniff out this vulnerability right now? Head to our gamified training arena and test your skills:

"coder"​ && "hacker"​ && "product_designer"

View Comments