SlideShare a Scribd company logo

Secure Code Warrior - Local file inclusion

Download as PPTX, PDF
Secure Code Warrior
Secure Code Warrior

OWASP Web App Top 10 - Slidepack on "Local file inclusion" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Technology
1 of 5
Local File Inclusion & Path Traversal OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
What is it? “Local File Traversal (LFI)” is a vulnerability that allows files hosted on the server to be included and potentially also executed. Using “path traversal”, files located outside of the current folder can be accessed. What causes it? This vulnerability exploits the "dynamic file include" mechanism that exists in programming frameworks. A local file inclusion happens when uncontrolled user input (forms, headers, …) is used as parameter to "file include“ commands. Path traversal is possible because characters like ‘../’ (or encoded versions) are not being checked against. What could happen? Depending on system access restrictions various sensitive files could be read or executed. Password files, database configuration files or the database content itself could be stolen. Remote code could get executed. How to prevent it? Never directly pass user input to “file include” commands: use an indirect reference map instead. Alternatively, apply white-list validation against all user controllable input, e.g. reject ‘../’ and encoded variants.
Local File Inclusion / Path traversal Understanding the security vulnerability A vulnerable site uses the ‘page’ parameter which it includes to dynamically build the content of the site. An attacker uses the ’page’ parameter to craft a URL to try to access sensitive files in other directories. Eventually he finds the correct path. User account information is returned to the output. Using path traversal and trial and error, he submits manipulated requests to the application server. Application Server http://site.com/?page=home http://site.com/?page=../../../../../../etc/passwd page = request.getParameter(‘page’); echo include(page); … root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash … /etc/passwd http://site.com/?page=../../../../../etc/passwd http://site.com/?page=../../../../etc/passwd
Local File Inclusion / Path traversal Realizing the impact Next to reading files, advanced attacks can also result in the execution of arbitrary malicious code under specific circumstances. A compromised server could lead to availability loss and cause reputational and financial damages. Customer data could get exposed, leading to privacy issues, reputational and financial damages.
Local File Inclusion / Path traversal Preventing the mistake Use indirect object reference maps. Apply white-list input validation. Form parameters, cookies, HTTP headers. Pay special attention to ‘../’ and encoded variants. /index?page=about.html /index?page=1 Static ID targetPage 1 about.html 2 home.html Indirect object reference map

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injection
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
José A. Jiménez
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
Secure Code Warrior
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injection
Secure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
José A. Jiménez
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
Secure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
File inclusion
File inclusionFile inclusion
File inclusion
AaftabKhan14
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
cdanger
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.
Positive Hack Days
 
Web Security
Web SecurityWeb Security
Web Security
Chatree Kunjai
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
uisgslide
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
Jan Algermissen
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
Oktawian Powazka
 

More Related Content

What's hot

Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
Secure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
File inclusion
File inclusionFile inclusion
File inclusion
AaftabKhan14
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
cdanger
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.
Positive Hack Days
 
Web Security
Web SecurityWeb Security
Web Security
Chatree Kunjai
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
Satish b
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
uisgslide
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
Jan Algermissen
 

What's hot (20)

Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Application Security
Application SecurityApplication Security
Application Security
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.
 
Web Security
Web SecurityWeb Security
Web Security
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
 

Similar to Secure Code Warrior - Local file inclusion

Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
Oktawian Powazka
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Directory_Traversel.pdf
Directory_Traversel.pdfDirectory_Traversel.pdf
Directory_Traversel.pdf
Okan YILDIZ
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
ClubHack
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
zakieh alizadeh
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
phanleson
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
Information Technology
 
Lfi
LfiLfi
Lfi
penetration Tester
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
n|u - The Open Security Community
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
ClubHack
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009
ClubHack
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technology
tiwariparivaar24
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
Folio3 Software
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 

Similar to Secure Code Warrior - Local file inclusion (20)

Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Directory_Traversel.pdf
Directory_Traversel.pdfDirectory_Traversel.pdf
Directory_Traversel.pdf
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
 
Lfi
LfiLfi
Lfi
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technology
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 

Secure Code Warrior - Local file inclusion

  • 1. Local File Inclusion & Path Traversal OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. What is it? “Local File Traversal (LFI)” is a vulnerability that allows files hosted on the server to be included and potentially also executed. Using “path traversal”, files located outside of the current folder can be accessed. What causes it? This vulnerability exploits the "dynamic file include" mechanism that exists in programming frameworks. A local file inclusion happens when uncontrolled user input (forms, headers, …) is used as parameter to "file include“ commands. Path traversal is possible because characters like ‘../’ (or encoded versions) are not being checked against. What could happen? Depending on system access restrictions various sensitive files could be read or executed. Password files, database configuration files or the database content itself could be stolen. Remote code could get executed. How to prevent it? Never directly pass user input to “file include” commands: use an indirect reference map instead. Alternatively, apply white-list validation against all user controllable input, e.g. reject ‘../’ and encoded variants.
  • 3. Local File Inclusion / Path traversal Understanding the security vulnerability A vulnerable site uses the ‘page’ parameter which it includes to dynamically build the content of the site. An attacker uses the ’page’ parameter to craft a URL to try to access sensitive files in other directories. Eventually he finds the correct path. User account information is returned to the output. Using path traversal and trial and error, he submits manipulated requests to the application server. Application Server http://site.com/?page=home http://site.com/?page=../../../../../../etc/passwd page = request.getParameter(‘page’); echo include(page); … root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash … /etc/passwd http://site.com/?page=../../../../../etc/passwd http://site.com/?page=../../../../etc/passwd
  • 4. Local File Inclusion / Path traversal Realizing the impact Next to reading files, advanced attacks can also result in the execution of arbitrary malicious code under specific circumstances. A compromised server could lead to availability loss and cause reputational and financial damages. Customer data could get exposed, leading to privacy issues, reputational and financial damages.
  • 5. Local File Inclusion / Path traversal Preventing the mistake Use indirect object reference maps. Apply white-list input validation. Form parameters, cookies, HTTP headers. Pay special attention to ‘../’ and encoded variants. /index?page=about.html /index?page=1 Static ID targetPage 1 about.html 2 home.html Indirect object reference map