AppSec Tales XVI | File Inclusion

Application Security Testing for the File Inclusion vulnerabilities.

INTRODUCTION

The article describes how to test the application to find Local & Remote File Inclusion vulnerabilities. The advice in this article is based on:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

Tools with basic usage & wordlist used for LFI and RFI detection.

STANDALONE TOOLS

• LFImap — LFI & RFI discovery and exploitation tool.

In the current development stage, I suggest using ffuf instead with the custom wordlists for RFI & LFI detection. However, this project is in pre-alpha. The developer states that release 1.0 is coming soon. It is worth keeping an eye on it.

# SINGLE URL (PWN - injection place)
python lfimap.py -U "https://afine.com/converter?filename=PWN" -a

# MULTIPLE URLS (each URL must have PWN specified)
python lfimap.py -F urls.txt -a

• ffuf — web fuzzer written in GO.
• Nessus & Burp Suite Professional automatic scanners.

I have described how to use above automatic scanners in another article:

Infrastructure testing with MSF

BURP SUITE PRO EXTENSIONS

• Copy As FFUF — Request body parser for ffuf.

Source: Own study — Using Copy As FFUF extension.

# EXAMPLE OUTPUT FROM THE ABOVE SCREENSHOT:
-X "GET" -H "/test/FUZZHTTP/1.1" -H "Host:afine.com" -H "User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/115.0.5790.110Safari/537.36" -H "Accept-Encoding:gzip,deflate" -H "Connection:close"

WORDLISTS