📙
AppSec
  • Overview
  • Write Ups Compilations/Resources
  • Main Resources
  • Labs
  • Cross Site Request Forgery
    • Cross Site Request Forgery (CSRF)
      • Write-ups
      • Source Code Examples
      • Labs
  • Missing Access Controls
    • Missing Access Controls
      • Write-ups
      • Source Code Examples
      • Resources
      • Testing Tips
  • LFI / Directory Traversal
    • Local File Inclusion
      • Local File Inclusion Writeups
      • Source Code Examples
      • Labs
  • XXE
    • XML External Entity (XXE)
      • Write-ups
      • Source Code Examples
      • Labs
      • More Writeups
      • Payloads
      • Resources
  • Injection
    • Command Injection
      • Writeups
    • Server-Side Template Injection
      • Server-Side Template Injection Writeups
      • More Write-ups
      • Source Code Examples
      • Labs
      • Resources
      • Payloads
      • Tools
    • SQL Injection
      • SQLI Write-ups
      • Source Code Examples
      • More Write-ups
      • Labs
      • Resources & Tools
  • SSRF
    • Server-Side Request Forgery (SSRF)
      • SSRF Write-ups
      • Source Code Review
  • Unvalidated Redirects and Forwards
    • Unvalidated Redirects and Forwards
      • Writeups
      • Source Code Examples
  • Verbose Error Messages and Stack Traces
    • Verbose Error Messages and Stack Traces
      • Write-ups
Powered by GitBook
On this page
  • Overview
  • Example

Was this helpful?

  1. LFI / Directory Traversal

Local File Inclusion

Overview

Local File Inclusion vulnerabilities allows an attacker to view local files on the web server. Files containing sensitive information such as database credentials in ASP.NET web.config, could be compromised and used to access additional sensitive data or gain further access into the application and network.

Source code files for the application may also be retrieved to gain a better understanding of the source code and potentially find vulnerabilities therein.

Example

A very simple example would be a URL parameter that is used in a function to retrieve files. Consider the following NodeJS (with Express) example.

The code creates a simple http server. Upon browsing to the URL it accepts a URL parameter id and saves it to the id variable in line 5. Line 6 uses the Node module FS function readFile to read files. The variable id is passed as an argument. The function writes the file to the response and returns the response to the user. 

var http = require('http');
var fs = require('fs');
http.createServer(function (req, res) {
  //Open a file on the server and return its content:
  var id = req.query.id
  fs.readFile(id, function(err, data) {
    res.writeHead(200, {'Content-Type': 'text/html'});
    res.write(data);
    return res.end();
  });
}).listen(8080);

So entering the URL http://localhost:8080/?id=/etc/passwd would return the /etc/passwd file (assuming the application process has the necessary rights to view that file), thus illustrating LFI. The source code does not do any input sanitization or allow-list checking for the user input and just passes it directly into the fs.readFile function.

For further reading start with these links then see further resources:

PreviousTesting TipsNextLocal File Inclusion Writeups

Last updated 4 years ago

Was this helpful?

What is directory traversal, and how to prevent it? | Web Security AcademyWebSecAcademy
Logo
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusionowasp.org
File Inclusion/Path traversalHackTricks
Application Security Wiki
Logo