Where Remote File Inclusion (RFI) Attacks Fall in the Security Threat Landscape


Published on

We are introducing new security algorithms to further improve our Remote File Inclusion (RFI) protective measures.

These new security features leverage Incapsula's native crowdsourcing capabilities to gain intelligence about Backdoor shells, RFI attack patterns and zero-day threats.

The technology behind our reputation-based algorithms is based on a security research of billions of web sessions over a 6-month period.

This research yielded some interesting facts about RFI attacks, which we documented for the benefit of whitehats, developers and website owners.

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Where Remote File Inclusion (RFI) Attacks Fall in the Security Threat Landscape

  1. 1. RFI Attacks in the Security Landscape Incapsula: Website Security and Acceleration
  2. 2. Methodology • The following facts and figures are based on data from billions of sessions, which were managed by Incapsula’s CDN, over a 6-month period. • Session data was collected and analyzed by Incapsula’s proprietary traffic profiling security algorithms. • Links lifespan information is based on a sampled data from a group of 1,000 RFI links, which carry 226 different types of backdoor shells and shell variants. • All data was aggregated from Incapsula’s crowd-sourced database, dedicated to an ongoing research of RFI attacks and backdoor shell behavior.
  3. 3. Attack Description Remote File Inclusion (RFI) attacks abuse user-input and file-validation vulnerabilities to upload a malicious payload from a remote location. With such shells, an attacker's goal is to circumvent all security measures by gaining high- privileged access to website, web application and web hosting server controls.
  4. 4. • RFI attacks are popular for their ease of automation and high damage potential. • RFI circumvents other security measures, offering the best ROI for an attacker. • RFI attacks are executed via widely available automated tools.
  5. 5. • Many websites still carry known/patched RFI vulnerabilities. • Patching is not an effective wide-scale solution. • Compromised websites are hijacked for malware distribution and DDoS attacks. • Compromised site is a persistent threat to itself, its visitor and other websites.
  6. 6. • RFI links serve as centralized distributers of Backdoor Shells. • Many RFI links are re-used for multiple attacks, with different attacks vectors, on various targets. • The lifespan of RFI links averages over 60 days, making them great candidates for long-term intelligence gathering.
  7. 7. • High-visibility RFI attacks will result in defacement or manipulation of content. • The attacker will often prefer a more subtle approach, using the compromised site as long-term resource for DDoS, data-theft and malware distribution. • One compromised site can endanger the whole server!
  8. 8. • Masked Gif files are the “backdoor of choice” for RFI attacks. • Gif’s popularity is influenced by the popularity of TimThumb vulnerability. • Gif’s are used to mask large shells and droppers alike.
  9. 9. Conclusions • Signature-based methods are effective against most RFIs but not against Zero-day threat. • Patching is not an effective wide-scale solution. • RFI links’ lifespan, and their position as centralized distribution points, offer many benefits for Whitehats. • Data from RFI links can be harvested for reputation-based algorithms, to hardening RFI and Backdoor protection. • Data from RFI links can be used as a backbone for an effective early warning system for unique zero-day threats. • Incapsula’s native crowdsourcing functionalities, coupled with its access control capabilities, are extremely well-suited for RFI link monitoring and reputation- based mitigation.
  10. 10. Learn More For more information about RFI attacks and Incapsula’s unique crowdsourcing security visit: • http://www.Incapsula.com • http://www.incapsula.com/the-incapsula-blog/item/801- crowdsourced-security-rfi-protection • http://www.incapsula.com/the-incapsula-blog/item/802-rfi- attacks-in-the-security-threat-landscape or contact us at: Info@Incapsula.com
  11. 11. Stay Safe