SlideShare una empresa de Scribd logo

Secure Code Warrior - Local file inclusion

Descargar como PPTX, PDF
Secure Code Warrior
Secure Code Warrior

OWASP Web App Top 10 - Slidepack on "Local file inclusion" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Tecnología
1 de 5
Local File Inclusion & Path Traversal OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
What is it? “Local File Traversal (LFI)” is a vulnerability that allows files hosted on the server to be included and potentially also executed. Using “path traversal”, files located outside of the current folder can be accessed. What causes it? This vulnerability exploits the "dynamic file include" mechanism that exists in programming frameworks. A local file inclusion happens when uncontrolled user input (forms, headers, …) is used as parameter to "file include“ commands. Path traversal is possible because characters like ‘../’ (or encoded versions) are not being checked against. What could happen? Depending on system access restrictions various sensitive files could be read or executed. Password files, database configuration files or the database content itself could be stolen. Remote code could get executed. How to prevent it? Never directly pass user input to “file include” commands: use an indirect reference map instead. Alternatively, apply white-list validation against all user controllable input, e.g. reject ‘../’ and encoded variants.
Local File Inclusion / Path traversal Understanding the security vulnerability A vulnerable site uses the ‘page’ parameter which it includes to dynamically build the content of the site. An attacker uses the ’page’ parameter to craft a URL to try to access sensitive files in other directories. Eventually he finds the correct path. User account information is returned to the output. Using path traversal and trial and error, he submits manipulated requests to the application server. Application Server http://site.com/?page=home http://site.com/?page=../../../../../../etc/passwd page = request.getParameter(‘page’); echo include(page); … root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash … /etc/passwd http://site.com/?page=../../../../../etc/passwd http://site.com/?page=../../../../etc/passwd
Local File Inclusion / Path traversal Realizing the impact Next to reading files, advanced attacks can also result in the execution of arbitrary malicious code under specific circumstances. A compromised server could lead to availability loss and cause reputational and financial damages. Customer data could get exposed, leading to privacy issues, reputational and financial damages.
Local File Inclusion / Path traversal Preventing the mistake Use indirect object reference maps. Apply white-list input validation. Form parameters, cookies, HTTP headers. Pay special attention to ‘../’ and encoded variants. /index?page=about.html /index?page=1 Static ID targetPage 1 about.html 2 home.html Indirect object reference map

Recomendados

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 

Recomendados

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokensn|u - The Open Security Community
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)cdanger
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Positive Hack Days
 
Web Security
Web SecurityWeb Security
Web SecurityChatree Kunjai
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 

Más contenido relacionado

La actualidad más candente

Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)cdanger
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Positive Hack Days
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web ServicesJan Algermissen
 

La actualidad más candente (20)

Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Application Security
Application SecurityApplication Security
Application Security
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.Artem Сhaykin. Android Application Security.
Artem Сhaykin. Android Application Security.
 
Web Security
Web SecurityWeb Security
Web Security
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Testing REST Web Services
Testing REST Web ServicesTesting REST Web Services
Testing REST Web Services
 

Similar a Secure Code Warrior - Local file inclusion

Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Directory_Traversel.pdf
Directory_Traversel.pdfDirectory_Traversel.pdf
Directory_Traversel.pdfOkan YILDIZ
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Securityzakieh alizadeh
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dtphanleson
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009ClubHack
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009ClubHack
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technologytiwariparivaar24
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3Folio3 Software
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 

Similar a Secure Code Warrior - Local file inclusion (20)

Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Directory_Traversel.pdf
Directory_Traversel.pdfDirectory_Traversel.pdf
Directory_Traversel.pdf
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4
 
Lfi
LfiLfi
Lfi
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009Lavakumar kuppan _lust_2_0 - ClubHack2009
Lavakumar kuppan _lust_2_0 - ClubHack2009
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technology
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Secure Code Warrior - Local file inclusion

  • 1. Local File Inclusion & Path Traversal OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. What is it? “Local File Traversal (LFI)” is a vulnerability that allows files hosted on the server to be included and potentially also executed. Using “path traversal”, files located outside of the current folder can be accessed. What causes it? This vulnerability exploits the "dynamic file include" mechanism that exists in programming frameworks. A local file inclusion happens when uncontrolled user input (forms, headers, …) is used as parameter to "file include“ commands. Path traversal is possible because characters like ‘../’ (or encoded versions) are not being checked against. What could happen? Depending on system access restrictions various sensitive files could be read or executed. Password files, database configuration files or the database content itself could be stolen. Remote code could get executed. How to prevent it? Never directly pass user input to “file include” commands: use an indirect reference map instead. Alternatively, apply white-list validation against all user controllable input, e.g. reject ‘../’ and encoded variants.
  • 3. Local File Inclusion / Path traversal Understanding the security vulnerability A vulnerable site uses the ‘page’ parameter which it includes to dynamically build the content of the site. An attacker uses the ’page’ parameter to craft a URL to try to access sensitive files in other directories. Eventually he finds the correct path. User account information is returned to the output. Using path traversal and trial and error, he submits manipulated requests to the application server. Application Server http://site.com/?page=home http://site.com/?page=../../../../../../etc/passwd page = request.getParameter(‘page’); echo include(page); … root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash … /etc/passwd http://site.com/?page=../../../../../etc/passwd http://site.com/?page=../../../../etc/passwd
  • 4. Local File Inclusion / Path traversal Realizing the impact Next to reading files, advanced attacks can also result in the execution of arbitrary malicious code under specific circumstances. A compromised server could lead to availability loss and cause reputational and financial damages. Customer data could get exposed, leading to privacy issues, reputational and financial damages.
  • 5. Local File Inclusion / Path traversal Preventing the mistake Use indirect object reference maps. Apply white-list input validation. Form parameters, cookies, HTTP headers. Pay special attention to ‘../’ and encoded variants. /index?page=about.html /index?page=1 Static ID targetPage 1 about.html 2 home.html Indirect object reference map