Input Validation / Local File Inclusion

Description

Local File Inclusion (LFI) is a type of IT vulnerability that affects web and API applications and is categorized under input validation (CWE-22). It is a type of attack whereby an attacker can manipulate web-based application input to gain access to a system’s files, such as configuration files, databases, and source code. This type of attack is possible due to the application not validating or sanitizing user input and does not properly restrict access to the target files. Detailed information about LFI is available in the OWASP Testing Guide.

Risk

LFI can result in a range of risks, such as system compromise, data leakage, or privilege escalation. If the attacker is able to access the system’s files, they can gain access to confidential information, manipulate data, or gain control of the system. This can lead to significant financial and reputational losses if the attacker is successful.

Solution

The best way to prevent LFI vulnerabilities is to properly validate user input and restrict access to the target files. This can be achieved by using input validation routines to ensure that only expected characters are entered, and by using access control measures such as whitelisting and blacklisting to control what files can be accessed.

Example

The following code example is from the CVE-2020-14385 vulnerability. It is an example of a Local File Inclusion vulnerability in a web application.

http://example.com/page.php?page=../../../../etc/passwd%00

This code allows an attacker to access the system’s /etc/passwd file by manipulating the page parameter in the URL.