Remote file inclusion (RFI) is a critical web security vulnerability which if exploited allows the attacker to include a file from another server, containing malicious code to be executed when a victim visits a vulnerable website. In order to ensure your websites and web applications are not vulnerable to these type of vulnerabilities you need to scan them with a RFI vulnerability scanner, or even better, with a web application security scanner - a software that can detect RFI and thousands of other vulnerability variants.
Like many other web application vulnerabilities, RFI happens as a result of poor input validation. Specifically, when a vulnerable application uses a user-supplied input in an include() call and it does not verify that the file being called is one that should be used by the application, and the code is then executed on the web server.
In a high-level sense, it is similar to another file inclusion bug, local file inclusion (LFI), since both types of vulnerabilities allow an attacker to run code that was never intended to be run by a web application. But, it is even more dangerous. In an LFI vulnerability, a website will only run code or display files already present on the web server. This can lead to information disclosure of potentially critical files like etc/passwd and potential web server security issues, but does not give the attacker leeway to run any code they want unless there is some other vulnerability on the web server that allows the attacker to upload arbitrary commands to a file.
To identify RFI vulnerabilities in a web application, you need a vulnerability scanner that can accurately map out the entire application, no matter what technology it is built with, and then accurately identify which attack surfaces are vulnerable. You need Netsparker.
Netsparker is the most accurate web security scanner on the market. It is designed to map out and test applications automatically, with the least possible user intervention. According to a 2017 benchmark of both commercial and open source web application scanners by independent security researcher Shay Chen, Netsparker was the only vulnerability scanner to find every vulnerability in the benchmark and without reporting any false positives.
Netsparker’s accuracy is the result of the Proof Based Scanning™. This technology generates a proof of exploit when it identifies a vulnerability. It does so by automatically exploiting the vulnerability in a safe and read only matter. Therefore in the security report you can see the HTTP request that was used to exploit the vulnerability, as well as the impact the exploited vulnerability has on the vulnerable web application or web server.
This saves time throughout the testing and remediation process. Security analysts can see at a glance what effect these vulnerabilities have, quickly and confidently make decisions about remediation priority, and move on to other valuable tasks without having to spend hours or days verifying false positives. And, for companies who create their own applications in-house, these dead accurate results can help software developers identify the flawed business logic more quickly and write more secure source code without requiring the assistance of expensive security professionals.
Of course, Netsparker Web Application Security Scanner is more than just an RFI scanner: it has vulnerability checks for SQL injection, cross-site scripting (XSS), LFI, and the full spectrum of vulnerabilities and misconfigurations that affect today's web applications. Contact us today for your free 15-day trial, and see what the most accurate and flexible scanner can do for your security program!