Despite accounting for a fifth of attacks on applications, awareness of remote and local file inclusion is worryingly low.
According to Imperva, local file inclusion (LFI) and remote file inclusion (RFI) attacks accounted for 21 per cent of all application attacks between June and November 2011 on 40 applications. The process allows an attacker to execute malicious code on a server to steal data.
Talking to SC Magazine, Imperva senior security strategist Noa Bar-Yosef said that with an RFI attack, the attacker uploads the malware to the server so it is an underlying application security threat, and this is prevalent as one of the top four techniques.
“This targets PHP applications which affect 77 per cent of websites, so the potential is massive. The TimThumb vulnerability was an RFI attack, and so was the attack on the military dating site. This shows that file inclusion attacks are one of the top techniques we have seen,” she said.
She also said that RFI attacks are automated, with attackers using botnets to exploit vulnerabilities.
“SQL injection is the number-one way to attack applications to remove data, but we are seeing better techniques. An RFI attack can cause a crash, extract data and allow an attacker to take over a server. We saw an increase in the second half of 2011, and what is concerning is that this does not show up in the OWASP top ten attacks,” Bar-Yosef said.
An LFI attack is conducted when a file is added locally by tricking the server into uploading a file, so rather than fetching the file, it is on there already (as opposed to an RFI, where you go to a remote server).
A simple method of infection is via a jpeg file that can have .TXT code and can infect an RFI vulnerability.
Asked how this can be blocked or avoided, Bar-Yosef cited the main areas of application security: to search for conversations on your security online; blacklist IP addresses you know to be bad; install a web application firewall; consider a vulnerability assessment tool where the data will feed into the firewall; and look to stop automated attacks.
She said: “Also fix your code as, ultimately, to be secure you have to be secure yourself.”
Tal Be'ery, Imperva's senior web researcher, said: “LFI and RFI are popular attack vectors for hackers because they are less known and extremely powerful when successful. We observed that hacktivists and for-profit hackers utilised these techniques extensively in 2011, and we believe it is time for the security community to devote more attention to the issue.”