AppSec Tales XVI | File Inclusion

Application Security Testing for the File Inclusion vulnerabilities.

INTRODUCTION

The article describes how to test the application to find Local & Remote File Inclusion vulnerabilities. The advice in this article is based on:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• Bug bounty reports
• Own experience.

TOOLING

Tools with basic usage & wordlist used for LFI and RFI detection.

STANDALONE TOOLS

• LFImap — LFI & RFI discovery and exploitation tool.

In the current development stage, I suggest using ffuf instead with the custom wordlists for RFI & LFI detection. However, this project is in pre-alpha. The developer states that release 1.0 is coming soon. It is worth keeping an eye on it.

# SINGLE URL (PWN - injection place)
python lfimap.py -U "https://afine.com/converter?filename=PWN" -a

# MULTIPLE URLS (each URL must have PWN specified)
python lfimap.py -F urls.txt -a

• ffuf — web fuzzer written in GO.
• Nessus & Burp Suite Professional automatic scanners.