Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that target the web application layer and if exploited can lead to full server takeover by malicious actors.
These cyberattacks fall under the two types of file inclusion attacks and primarily affect companies and organizations that have poorly-written web applications (i.e websites).
Read on to learn more about the characteristics that make up Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks and what their core differences are:
PHP is everywhere. According to Web Technology Surveys, 79.1% of all websites use PHP. Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks typically affect web applications written in PHP, so a lot of websites remain vulnerable.
Some may blame its security weakness over the fact that PHP is an open-source programming language. However, PHP is just as vulnerable as other programming languages if the proper developer and security practices are ignored.
Because almost all web application frameworks support file inclusion, companies and organizations are susceptible to Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks.
Remote vs local files
Hackers exploit the file Inclusion vulnerability to gain unauthorized access to sensitive data on web servers and inject malicious files through the “include” functionality.
The difference between (RFI) and Local File Inclusion (LFI)is that with RFI, the hacker uses a remote file while LFI uses local files (i.e. files on the target server) when carrying out the attack.
To expand, in an RFI attack, a hacker employs a script to include a remotely hosted file on the webserver. In an LFI attack, a hacker uses local files to execute a malicious script. For LFI, it is possible for a hacker to only use a web browser to carry out the attack.
Dangers of RFI & LFI
(RFI) and Local File Inclusion (LFI) attacks are essentially zero-day threats — which can be dangerous in their early stage. An attacker, for example, can use LFI to trick the web application into exposing or running files on the webserver. With this, hackers can create web shells on the server, deface a website, steal information, and stage Cross-site Scripting (XSS) attacks.
RFI and LFI attacks make up 21% percent of all observed web application attacks. Though many security experts would agree that RFI and LFI are highly preventable and are less sophisticated than other attacks like XSS, these cyberattacks should still be taken seriously by companies and organizations.
What You Can Do About File Inclusion Attacks
There is a misconception that all user inputs can be entirely sanitized – but this is actually false. So, when a web application includes a file without correctly sanitizing the input, a hacker can manipulate the input and inject path traversal characters to include other files from the webserver.
To defend against (RFI) and Local File Inclusion (LFI) attacks, it is crucial that companies and organizations use firewalls that thoroughly filter input parameters against possible file inclusions. A WAF, for example, can block malicious attempts related to File Inclusion attacks from previous RFI attacks so that it can block any future attacks that originate from the same source.
An even more advanced WAF can also protect against zero-day threats by intelligently monitoring traffic to detect and block attacks before they can enter the web application.