RFI and LFI

The most famous among the bug hunters and in bounty programs is RFI and LFI vulnerabilities. They both root from file inclusion vulnerabilities.

Simple one liner - When the file from a remote location is included, then its RFI(Remote file inclusion). If the file is from the local directory, then it is LFI(Local file inclusion)

In description:

Consider your web application is referencing a file in the form of a url to a remote location. This reference is trying to fetch a .png or .php or .js. When an attacker changes this file, the behaviour of the web application changes.



The impact of this can vary based on the file that got included. The least can be simply a change in the way a page looks. When the file included executes a piece of code is when the consequences get worse. The file can be malicious which escalates privileges of a certain user and performs an irreversible action.

File inclusions are easy to mitigate to a large extent using simple input validations and sanitising the inputs. The other measures include

1. List the acceptable objects, such as filenames or URLs. Blacklist everything else. 
2. For any check at the client side, make sure the same check or an extension of the same is done at the server side too as attackers will have ways to bypass checks at the client end
3. Always allow the code to run with the least privileges
4. Reduce the attack surface by analysing the attack entry points 
5. When using the PHP for your applications, make sure they dont use register_globals. 

Comments

Post a Comment

Popular posts from this blog

Bug bounty - Simple tips and tricks

Image
Its been a couple of months that I am bug hunting and I think I got hang of it now. Bug bounties are the most fancied way of earning money among the ethical hackers and otherwise engineers. I get many requests on Linkedin and Telegram to teach them about bug bounty. I have followed a few big time bug hunters and learnt from them. There are awesome writeups, podcasts and tutorials on Pentester.Land Here are a few tips and tricks to get started with any bounty program. Follow platforms like HackerOne and BugCrowd. They have organised bounty programs which reward in points and money according to the priority of the bug found. They have charity programs too if you wish to donate. So, when there are new programs launched for websites, mobile apps and APIs, you get to see whats in scope of the program and whats not. If you are reporting a bug thats not in scope, you get -ve points. There will be rules of the program which you MUST read carefully to understand the type of progra...
Read more

Hashing, Salting, Encoding and Encrypting

Image
One of the most asked questions when you say you are a cybersecurity engineer is that whats the difference between hashing, encoding and encryption. Many great blogs are available out there to answer that question. I try to make things simple so a layman gets it right. Hashing Hashing is a one way function where the given string is converted to fit in to a fixed length string using hashing algorithms. Simply put its a set of rules that convert the text in to a fixed length text. Hashing is basically used to check the authenticity of data. Assume you have a file that should be downloaded from a website. First you hash the file and digitally sign it. Now you hash the signed file too and encrypt(will talk about this later). The browser that downloads the file at the client end will get these two hash values from the file. Now it employes the same hashing mechanism and generates its own set of hashes. If these two hashes match the ones with the file downloaded, then the browser kn...
Read more

Homomorphic encryption

Image
Homomorphic encryption is a type of encryption where the data in transit can be accessed, computed, analysed all the while the data remains encrypted. This can be extension of both symmetric and asymmetric encryption(See Symmetric and Asymmetric Encryption for more details). This can be used for outsourcing encrypted data for storage and computation to the cloud environments In plain language homomorphic encryption is like this - Assume there are many things in a bag and you put your hands inside, manipulate their positions, access them and sense them but you cant pull them out and see for real what they are. This kind of data transmission is required in healthcare where the privacy is of most concern. The same holds good for voting purposes where the data needs to be encrypted for privacy purpose but also should be assessed. In the banking sectors too this is used to protect the PII and still perform the required processing on the data. The computations on the data are rep...
Read more