Topics Covered :
⦁ What is LFI?
⦁ How Can Attackers Access Sensitive Files with This Vulnerability?
⦁ How to Mitigate this Attack ?
⦁ Examples of Attack
What is LFI?
LFI (Local File Inclusion) is a vulnerability that occurs when inputs are not appropriately sanitized and the attacker can see sensitive server directory data. LFI vulnerabilities can damage the whole infrastructure using RCE (remote code execution) and data breaches. For example, if a web application allows users to view any document and if parameters show in the URL bar, look at the image below:
How Can Attackers Access Sensitive Files with This Vulnerability?
When an attacker inputs a system command, it will be executed on the server site. It can see the server system, which leads to sensitive data access and a data breach. Below, we can see an image of how the attacker used this attack:
image credits : hackingarticle
How to Mitigate this Attack ?
To Mitigate Local File Inclusion (LFI), We Can Take the Following Measures:
We can validate input from the user and parse parameters properly to prevent this attack.
By using absolute file paths, we can prevent attackers from traversing the file system. that will ensure that file will be accessed from a fixed location.
By only allowing required directories and files, we can prevent this attack.
by disabling php include and the required function. This prevents attackers from executing arbitrary code on the server.
Use File Permission to ensure that the web server has the least privileges to ensure only necessary files have permission.
files and not the sensitive files
Enabling the Web Application Firewall (WAF) can help protect against LFI attacks. WAF can detect and block arbitrary requests to the server.
Example of Attack
When URLs are not properly sanitized, for example,
www.example.com/test.php?=text.txt/../../../../etc/passwd
This will show sensitive file passwords, which can lead to an RCE attack.
Conclusion
LFI is a Web application vulnerability that can be used by attackers to read sensitive files and execute arbitrary code on the server. Web developers can prevent an LFI attack by input validation, file access controls, code reviews, and server hardening.