Finding Remote File Inclusion In Your Environment

File inclusion vulnerabilities are very dangerous because they allow hackers to include arbitrary source code files, typically malicious in vulnerable web applications. The Netsparker scanner can easily identify both remote and local inclusion flaws.

Get a Demo

Remote file inclusion (RFI) is a critical web security vulnerability which if exploited allows the attacker to include a file from another server, containing malicious code to be executed when a victim visits a vulnerable website. In order to ensure your websites and web applications are not vulnerable to these type of vulnerabilities you need to scan them with a RFI vulnerability scanner, or even better, with a web application security scanner - a software that can detect RFI and thousands of other vulnerability variants.

What Is Remote File Inclusion?

Like many other web application vulnerabilities, RFI happens as a result of poor input validation. Specifically, when a vulnerable application uses a user-supplied input in an include() call and it does not verify that the file being called is one that should be used by the application, and the code is then executed on the web server.

In a high-level sense, it is similar to another file inclusion bug, local file inclusion (LFI), since both types of vulnerabilities allow an attacker to run code that was never intended to be run by a web application. But, it is even more dangerous. In an LFI vulnerability, a website will only run code or display files already present on the web server. This can lead to information disclosure of potentially critical files like etc/passwd and potential web server security issues, but does not give the attacker leeway to run any code they want unless there is some other vulnerability on the web server that allows the attacker to upload arbitrary commands to a file.

In RFI attacks, the vulnerable application will run malicious code that it retrieves from an arbitrary external URL. Thus, a malicious user can include code that resides on a machine that they control. Depending on the attacker's goals, a remote file inclusion attack can lead to remote code execution on the web server, malicious JavaScript being served to a client, disclosure of sensitive information, as well as denial of service.

Identifying Remote File Inclusion Vulnerabilities

To identify RFI vulnerabilities in a web application, you need a vulnerability scanner that can accurately map out the entire application, no matter what technology it is built with, and then accurately identify which attack surfaces are vulnerable. You need Netsparker.

Netsparker is the most accurate web security scanner on the market. It is designed to map out and test applications automatically, with the least possible user intervention. According to a 2017 benchmark of both commercial and open source web application scanners by independent security researcher Shay Chen, Netsparker was the only vulnerability scanner to find every vulnerability in the benchmark and without reporting any false positives.

Netsparker’s accuracy is the result of the Proof Based Scanning™. This technology generates a proof of exploit when it identifies a vulnerability. It does so by automatically exploiting the vulnerability in a safe and read only matter. Therefore in the security report you can see the HTTP request that was used to exploit the vulnerability, as well as the impact the exploited vulnerability has on the vulnerable web application or web server.

This saves time throughout the testing and remediation process. Security analysts can see at a glance what effect these vulnerabilities have, quickly and confidently make decisions about remediation priority, and move on to other valuable tasks without having to spend hours or days verifying false positives. And, for companies who create their own applications in-house, these dead accurate results can help software developers identify the flawed business logic more quickly and write more secure source code without requiring the assistance of expensive security professionals.

Contact Netsparker Today

Of course, Netsparker Web Application Security Scanner is more than just an RFI scanner: it has vulnerability checks for SQL injection, cross-site scripting (XSS), LFI, and the full spectrum of vulnerabilities and misconfigurations that affect today's web applications. Contact us today for your free 15-day trial, and see what the most accurate and flexible scanner can do for your security program!

What our customers are saying

"I had the opportunity to compare external expertise reports with Netsparker ones. Netsparker was better, finding more breaches. It’s a very good product for me."
"As opposed to other web application scanners, Netsparker is very easy to use. An out of the box installation can detect more vulnerabilities than any other scanner."
"We chose Netsparker because it is more tailored to web application security and has features that allow the university to augment its web application security needs."

Save your security team hundreds of hours with Netsparker's web security scanner.

Get a Demo