Local file inclusion vulnerabilities (LFI) can lead to the disclosure of sensitive data, and even the execution of arbitrary code. If you are responsible for web security for your business, you need to know what LFI is, and how you can use a LFI vulnerability scanner to identify these vulnerabilities in web applications and fix them.
LFI, like so many web application vulnerabilities, starts with poor validation of user input. If an application can dynamically include files, but performs no validation of which files on the web server it should or should not be allowed to include, it is vulnerable.
Local file inclusion attacks are most often discussed in terms of PHP, though it can be a problem in insecurely written applications in ASP, Python, or any other language. No matter the language, the idea behind the vulnerability is the same. A web application fails to verify the arguments that are passed into a function that includes the contents of another file in the code being run. Thus, the contents of arbitrary files on the machine can be displayed or run by a malicious user.
Typically, exploiting an LFI attack results in sensitive information disclosure. An attacker can use directory traversal to find sensitive files on the server and display them on a web page. A common example involves trying to enumerate usernames and see password hashes stored in /etc/passwd.
If there is another vulnerability in either the application or the web server that allows a malicious user to upload files to the machine, they can combine that with the LFI issue to install and run arbitrary code such as a reverse shell, similar to the remote code execution that a remote file inclusion bug (RFI) would allow.
In order to secure the data on your web servers, you need a web application scanner you can trust to find every user input field in a web application no matter what it's built with, and allow you to easily understand and remediate LFI and any other web security vulnerabilities that it finds.
Netsparker can do this.
Netsparker Web Application Security Scanner is the most accurate scanner on the market. Whether your web server's operating system is Linux, Unix, or Windows, and whether the web application leans more heavily on server-side or client-side technologies, you're covered. Netsparker maps out the entire attack surface and identifies real vulnerabilities that attackers are targeting.
Don't just take our word for it: independent security researcher Shay Chen tested a broad range of commercial and open source web application vulnerability scanners against a benchmark designed to reflect modern web applications. Netsparker was the only one to find 100% of the security flaws, without reporting any false positives.
Netsparker also gives you the advantage of Proof Based Scanning™. Vulnerability finding comes with proof of exploit, thus proving a vulnerability is real and not false positive. The proof of exploit highlights the HTTP request that triggered the vulnerability, as well as the impact of the vulnerability.
This saves your security analysts hours or even days of tedious manual validation. Instead they can easily understand the identified vulnerabilities, prioritize them with confidence, and move on to other high-value tasks. For businesses who develop their own software, it also allows developers to save time identifying what part of the source code contains the security flaw, so they can more quickly write patches.
Netsparker Web Application Security Scanner is more than just an LFI scanner. Our dead accurate results can help you find and remediate the full range of website vulnerabilities including SQL injection, cross-site scripting (XSS), and other critical issues. Contact us today, begin your 15-day free trial, and see how easy it is to secure your web applications.