Testing Vulnerable Web Applications For Local File Inclusion, Server Side Request Forgery, Open Redirect, & Path Traversal

by Sunny Hoi

Introduction

We will first briefly elaborate on security vulnerabilities such as Local File Inclusion (LFI), Server Side Request Forgery (SSRF), Open Redirect, and Path Traversal. The first section will be called “Explaining Attack Vectors“.

Subsequently, we will explore the rapid and ingenious methods of discovering parameters vulnerable to the attack vectors we’ve discussed (LFI, SSRF, Open Redirect, & Path Traversal). The second section will be called “Attack Vector Examples“.

Thirdly, we will illustrate a publicly available Python-based scanner (Released by a security researcher) that may be deployed by security professionals to locate potential SSRF parameters in a web application. Moreover, we will show you how to install the Python script easily on your Linux system. The third section will be called “See-SURF“.

Lastly, we will conclude this tutorial by sharing useful resources that will significantly assist you in improving your overall knowledge and skills in penetration testing. The fourth section will be called “Additional Resources“.

Explaining Attack Vectors

What Is A Local File Inclusion (LFI)?

A file inclusion vulnerability permits an adversary to include a file, typically by exploiting a dynamic file inclusion method applied in the targeted application.

The adversary may deceive the targeted web application into revealing or running files on the webserver.

This vulnerability takes place as a result of the deployment of user-supplied input in the absence of proper validation. This may result in something as minor as outputting the contents of a file, yet contingent on the severity may cause arbitrary code execution (ACE).

Arbitrary Code Execution

Arbitrary code execution (ACE) is referred to as delineating a cyber actor’s capability to execute arbitrary commands or code on the victim machine or in a targeted process.

LFI > RCE, XSS, Sensitive Information Disclosure

A local file inclusion attack can give rise to Remote Code Execution (RCE), Cross-site Scripting (XSS), or sensitive information disclosure.

An LFI is very much like a Remote File Inclusion (RFI). The sole distinction is that in a local file inclusion attack, the actor has to upload the malicious script to the targeted server to be executed locally.

Server Side Request Forgery (SSRF)

In a Server Side Request Forgery (SSRF) attack, the adversary may send crafted requests from the back-end server of a vulnerable web application. Hackers generally deploy SSRF attacks to target internal systems that are in the back of firewalls and are inaccessible from the external network.

The actor may take advantage of the functionality located on the server to read or update internal resources.

The hacker may provide or alter a URL in which the code running on the server will read or submit data to. Furthermore, by thoroughly choosing the URLs, the hacker could perhaps read server configuration, connect to internal services or carry out POST requests towards internal services that are not supposed to be exposed.

Open Redirect Vulnerability

A site is vulnerable to an open redirect attack when the parameter values in an HTTP GET request permit for information that will redirect the user to a new site without requiring any validation of the target of the redirect.

An experienced attacker will already know to take advantage of the targeted user’s trust in a particular site (The vulnerable website) and exploit it accordingly to make them visit the attacker’s site.

Path Traversal

In a path traversal attack, the hacker intends to access files and directories that are kept outside the web root folder. The hacker’s objective is to obtain unauthorized access to the file system.

An attacker can manipulate variables that reference particular files with “../” sequences and its alternatives or by deploying absolute file paths to potentially access arbitrary files and directories saved on the file system. Bear in mind that access to files is restricted by system operational access control.

Attack Vector Examples

The following attack vectors serve as rapid and ingenious techniques for pinpointing parameters vulnerable in a web application:

You will, of course, want to replace ‘vulnerablehost‘ with the domain you are penetration testing (With the relevant ‘http://‘ or ‘https://‘).

See-SURF

As we’ve mentioned in our opening section, See-SURF is a publicly available Python-based scanner utilized by penetration testers to pinpoint potential SSRF parameters in web applications.

See-SURF was created by a security researcher.

Installing See-SURF

See-SURF can be installed easily on your Linux system:

The See-SURF Python Script

The code for the See-SURF Python script is below:

Additional Resources

For a more in-depth look at how local file inclusion can be utilized by a hacker, consider checking out our tutorial on LFI.

File inclusion attacks like Remote File Inclusion (RFI) frequently involve hackers uploading backdoor web shells from a remote URL found within a different domain. PHP Web Shells play a significant role in granting a hacker the advantage of browsing a server’s filesystem and send out commands on the target server.

To safely test your penetration testing skills in a legal environment, you may download a PHP/MySQL web application called Damn Vulnerable Web App (DVWA). We recommend that you deploy a virtual machine like VirtualBox and set to NAT networking mode. You may download and install XAMPP for the webserver and database. Refrain from uploading DVWA to your hosting provider’s public HTML folder or any live public accessible servers since hackers will likely compromise the servers.

The Capital One Hacker was able to successfully exploit an SSRF vulnerability, illustrating how vital web application security truly is.

Online Courses – Information Security Training

If you would like to further improve your overall knowledge and skills in penetration testing, consider the 1337pwn APT membership which provides you with every course offered on our online training website.

Related Posts