Preventing File Inclusion Attacks on Website

P.S.Sadaphule, Utkarsha Dhande, Priyanka Kamble, Sanika Mehre, Rashmi Savant

sadaphule.compdept@gmail.com, utkarshadhande13@gmail.com, piukamble1249@gmail.com, sanikamehre@gmail.com,
sawant.27.rashmi@gmail.com
Computer Engineering, AISSMS’s IOIT, Pune

Abstract — People use internet to communicate database , shell and other important confidential files of
with one another. Without internet, it would be both the site via front end web application.
more expensive and slower to maintain personal and
PHP is Hypertext Preprocessor; because of its
professional relationships. Many people use internet prevalent and easy to develop web application the
to enjoy themselves and to engage in personal vulnerabilities found in codding of website and also
interests. However, there are many security threats
because of careless use of functions in PHP language
people come across which may be viruses, worms, file web sites becomes unsecured. Better use of proper GUI
inclusion etc. So, to provide security to web
to communicate with clients in better way may cause to
applications and preventing root shell access and
build a better website.
admin passwords is the main challenge. In previous
survey, we have studied on security threats such as Most of the time website are altered by
remote file inclusion and local file inclusion. Also, we vulnerabilities like SQLi, LFI, RFI & XSS. In this survey
have mentioned different prevention techniques such we only focus on two main vulnerabilities which are LFI
as Digital Signature, File size verification, and RFI. Existence of vulnerabilities in web application
Sanitization of input and Dynamic allocation to represented if web application has some codes that will
prevent website attacks. In this paper we have dynamically refer to an external script .Where as LFI
implemented these techniques by using methods such attacks occurred when file is injected into site present
as MD5, SHA256. The expected outcome will be already in web application. The main purpose is to
achieved by using these methods, providing security exploit function to upload malware (backdoor shell) in
to the websites from RFI and LFI attacks. application.
Keywords- Local File Inclusion attacks, Prevent
vulnerability, Remote File Inclusion Attacks, Security
OBJECTIVE
The objective of this paper is to prevent the web
site from various malicious attacks of RFI & LFI by
using PHP language & CSS. Also preventing
information theft and to prevent content modification in
web site and hence building trust with the customers.
INTRODUCTION
Human beings relay on websites and web LITERATURE SURVEY
applications for most of the things and transactions. On
the other hand as the usage of the web application There are many of researches done on various
increases so as maintaining security to such applications web vulnerabilities which comes under Semantic URL,
become more complex but the important and essential Cross-Site scripting, Cross-Site Request forgery, etc.
aspect. Such applications are used frequently which This system comes under Semantic URL means such
produces high risk of getting affected by attackers ,by attacks involve a user modifying the URL discover mode
exploiting the vulnerabilities between them. to perform various actions which are not originally
planned to be handled by server[2]. Survey found
Vulnerabilities or weaknesses found in web site reviews on various vulnerabilities such as RFI, LFI,
causes loss of important data of website of an SQLi, Query string attacks[1][3][4][5][6].
organization which further can cost to an organization in
critical way and hence it may reduce or harm reputation Also, Studied various methods used for
of an organization. This kind of vulnerabilities provoke exploitation, testing areas and security method and tools
attacker to have an unauthorized access to the back end including different algorithms which are being

Volume: 3 Issue: 2 April - 2018 95

used[1][2][3].For preventing from the LFI attack also the paper to understand the importance of sanitization and
various vulnerabilities and methods of LFI attacks[4].For how it i used as a prevention method. AntiLFIer is used
studying more about RFI attack we have studied the RFI for prevention which allows access to only the trusted
botnet[8].To learn more about attackers perspective and file. Prevention method checks whether file is trust full
why attacker choose RFI type of vulnerability we have or not. This paper[5] done the different types of attacks
studied different types of exploits and learnt how the and analysis on such attacks are mentioned
attacker gains root shell access and admin passwords[7] .Vulnerability scan carried out in 2013 by semantic
website vulnerability assessment services found that 77
In paper [1] The reachers focuses on this paper LFI percent of site are vulnerable. Many organization are
based RFI and SQLi attacks ,then to prevent this attacks losing their reputation because of the vulnerabilities
confidential and sensitive data such that root user found in websites. In this paper concentrate on
,password ,SSH login credential are disclosed by the prevention methods performed after executing attack on
system. In this paper to learn different methods such that user's machine. This paper attack scenario o the known
get method and post method used for exploitation. This vulnerable websites WAckoPicko of three types of
paper introduces security features which developers attacks -SQL Injection stored XSS and Remote File
usually design data processing technology through HTTP Inclusion. In this application has 10 vulnerability
POST method. Different files which are stored in accessible without authentication. In forensics expertise
different directories for security purpose. For system there are mail three phases acquisition, analysis,
security also studied different methods which are apply presentation. The purpose of the system in this paper [6]
for exploitation and security. LFI and RFI attacks system is to detect and prevent against malicious attacks over
concentrated on it. LFI is web application attack which the developers Website written in programming
allow user to include different files located in web languages like PHP,ASP.net and ASP also, it creates
application on server machine. RFI is one of the attack in native language API through which transaction and
website by remotely handled and access any type of user interactions are sent to IDS server through inter server
machine. The paper [2] mainly studied for various communication mechanism. IDS server developed from
testing strategies and types of testing. Also focuses on PHPPIDS. Base of PHPIDS is PHP intrusion detection
the knowledge of the technique pen testing on website, system which is mean to be used as server site tool. In
discusses the different phases ,in this attack victims and this paper to detect and prevents attacks such that SQLi
upgrades software tools to make the penetration test. ,LFI,RFI and XSS types of attacks. By using WAPT
Pentesting means a safety test with a specific objective algorithm to analyze the attacks is done with the help of
for evaluating systems. Its the set of safety test with this to record the activities of website and examine the
detector objective, after achieving the goal ID is suspicious behavior. Hacker constantly attacks on
terminated. This paper refer for different types of website so in this paper [7] field study which is
security entities such that authentication, authorization, presented on the attacker perspective is looking over real
integrity and availability. Also in common attacks which exploits used by hackers to attack website .SQL
are used such as semantic URL, cross site scripting, injection and remote file inclusion are two most
HTTP request counterfeited and attacks through the frequently used attacking techniques by hacker because
database. From this system understood that RFI and LFI attacker prefer easier techniques than complicated. Root
attacks comes under semantic URL method. The paper shell and the admin password are the main aim of
[3] protects the front end web applications from attacker to obtain the this entity because its easily attack
unauthorized access. Website front end and database is on website. website exploits may be simple as a specially
back end it can be accessible through web browser. crafted URL or as complex as an automated program
Vulnerability scanner is used for front end. This paper with hundreds of lines of code that can be executed and
focuses on design of web application , detection and completed .This paper field analyses the attacks of six
prevention of attacks which are RFI ,query string attacks widely used and well known web applications like PHP-
,cross site scripting attacks and union attacks. It Nuke, drupal, PHP-fusion, wordpress php MyAdmin and
overcomes by applying different algorithms such as phpBB. The paper [8] covered attacking methods like a
longest sub sequence algorithm and brute force string Remote File Inclusion, Cross Site Scripting and code
matching algorithm. The aim is to develop a web Inclusion. The ethics of attack or attackers are RFI .In
application-bot admin and user credentials ASP.net and botnet RFI attacks involved and the attacker are web
system also refer how to provide website authentication. promised. Domain name, content and dynamic IP
This paper [4] mainly focuses on LFI vulnerability. The address by using this vulnerable web sites are done.
local file access is done by manipulating the user IP. LFI Attacker are hosted the hoster which is the host that have
attack are null byte poisoning, log poisoning, malicious web server or FTP server by using some tools .In this
image upload, self file in linux environment and paper to highlight the RFI attacks which include another
alternate log poisoning .In this paper system understand internet site or directories in the same hard drive ,this is
the LFI Vulnerability is prevented from root cost analyze big advantage for the coder and it neglect result which
source code and defeat attack sanitization. From this

Volume: 3 Issue: 2 April - 2018 96

can be in successful attack point and compromising of included the attacker can get access to the remote
the host. servers.

PROPOSED METHODOLOGY This kind of attack can be avoided/prevented by not

making the use of any arbitrary input data in the file
include request or simply disable the allow_url_include
LFI is an inclusion attack ,where attacker exploit the
from the php ini file on the php running server.
functionalities which dynamically includes the scripts
This attack can be very destructive and can create alots
and the files. The LFI attacks takes place/happens when
of complications.
the attacker gets the path to the file which is to be
included as the input .This local file is allowed to put in
Steps for Vulnerable site:
the ‘include’ statement/request. The result of this LFI
attack incorporates Directory Traversal and Information
Step-1: Site on which attacker tries to attack:
Disclosure.Following is the example which is
In this stage, Security is not provided to the site.User is
vulnerable to LFI: free to access the site.
Step 2:Attacker gets shell access:
$file = $_GET[‘file’]; When the user tries to get access on this site he is able
include(‘directory/’,.$file); to get root shell access over server.
Step-3: Security of website get compromised:
Suppose we have the URL as: As no security is provided security of website gets
http://localhost/file.php?command=xyz.php instead of compromised and attacker has control over all the
xyz.php we can enter any of the file name we want. confidential information.
So here if we want any file content we can change it as:
http://localhost/file.php?command=../../apache/conf/http Steps for Secured site:
d.conf
Similarly we can retrive the content of any file on file Step-1:Attacker tries on site which is secured by
security API :
system.
This is the site on which our security API works.
When attacker tries to attack on the site, the code
One mitigation for LFI is simply change the settings in gets verified.
php.ini file, uncomment it and set as follows:
open_basedir =c:\\xamp\\htdocs, ,and save the Step-2:Attackers URl/code gets verified:
configuration, which means if anyone want to access
the file usin the include() method, it checks the location In this stage, all the prevention techniques are used
to verify the user`s URL/code.
of the file, the php refuses to access the file ,as it is
a) Dynamic Allocation Prevention method
present outside the specified directory-tree. The Every page has entry stored in theHash table. In
application can create a whitelist of files which can be Dynamic allocation method; these entries get
included in order to avoid the the inclusion of file by matched with the page which is dynamically
attacker. entered. If both the entries get matched, user is
allowed to procced .Else access denied for the
RFI is Remote File Inclusion . The Php running user. This is the simplest kind of prevention
method.
websites, are often vulnerable to the RFI type of attack.
b) Sanitization of Input Prevention Method
The attacker can include a file remotely through a script Validation checks if the input meets a set of
on Web Server. The possibility of this attack can be criteria. In Sanitization, it modifies the input to
due to the user input without any proper validation. ensure that it is valid. So, in this method the
contents are getting filtered and only the
The attacker can contrivance the application to execute Sanitized code will be executed. This method is
most promising as it allows only the non-
a malicious code which the attacker can upload on the
vulnerable code to be executed ignoring all the
web servers ,it can be through webshell. The attack can vulnerabilities of it.
be done by the use of the user supplied input without c) Digital Signature Prevention Method
any proper validations .Once the webshell is being A Digital Signature is a mathematical scheme
for validating the authenticity of Digital
message or document. In Digital Signature

Volume: 3 Issue: 2 April - 2018 97

 ,every page entered into hash table has provided
an unique ID. If ID gets matched the user is
allowed to proceed.
d) File size verification Prevention Method
File size verification is a process of using an
algorithm for verifying the integrity of file. In
File size verification the input of file size is
compared , this can be done by comparing two
files bit by bit. But the only problem with this
method is, once in a while the file size can be
matched though there are least chances of it. If
we put the file size in bytes then there will be
less chances of getting matched with the same
file size.

Step-3: System`s Actions after Verifying code :

Here, the system takes an action after verifying the
code. User get access to website if he is valid user.If the
user is not valid user`s IP address will be blocked for
next 24 hours.
Step-4 : User IP Add blocked forever :
Even after 24 hours user tries to gain access site and if
it is invalid and vulnerable code then it is considered as
the User is an attacker and purposefully he is trying to
attack the site. Here in this case the Attackers IP
address will be blocked forever

SYSTEM ARCHITECTURE

This architecture consists of mainly two Figure 1. Intrusion Detection and Prevention Architecture
scenarios, the first scenario shows how exactly attack is
performed by attacker. The second scenario shows, how
system response when attacker tries to attack , and how it
prevent from attacks by implementing prevention
methods and what actions will be taken on attacker.
In second scenario, it is shown how the system
The below architecture shows detailed working reacts when any user tries to access the particular site.
of proposed system. Firstly, it will check for the prevention methods. It will
compare the code or URL with each of the prevention
Basically there are two scenarios which method, if the data is non vulnerable, user is allowed to
explains the total working of the model. In first scenario, access the site. If the URL is vulnerable then the user is
Attacker tries to inject malicious code into the page not allowed to access the site as well as it might be
remotely. He might try to include the file or say code, considered as an attacker and alert message sent to
where the code is vulnerable. After finding such server site. So, the attacker`s IP address will be blocked
weakness from the page the attacker is free to attack on for 24hrs and the site will be secured. It might be
the site , if attacker tries to include .php file into such possible that the URL which we are considering
place he will be succeed to have control on the server as vulnerable is accidently put by the user. That’s why users
the PHP code compiled directly from the server. Such or we can say attackers IP has been blocked for 24hrs
kind of code is known as shell. In this scenario the only. But, if the user/attacker retries to put such
attacker gains shell access. incorrected URL it is considered that he is trying to put
malicious code on the site to harm the site or to gain
unauthorized control. So in this case, attackers IP is
blocked forever.

Volume: 3 Issue: 2 April - 2018 98

 RESULTS

This is the initial configuration page.

Fig: System Initialization page Fig:Access denied page

This page contains the actual machanisam of blocking

and unblocking all the unwanted requests and all the
logs related to previous attacks.
CONCLUSION
In this paper, the purpose is to provide
prevention to website by various malware attacks. The
attacks performed using LFI and RFI techniques has
been prevented by this web application using different
prevention methods like Dynamic Allocation method,
Digital Signature method , verification of input and File
Size Allocation , which provides security to the web
site.

Fig: Dashboard
REFERENCES
[1 ] Afasana Begum and Md. Maruf Hassan,”RFI and
SQLi based Local File Inclusion Vulnerabilities in Web
Applications”,International Workshop on
Computational Intelligence(IWCI),12-13 Dec 2016.

This page will be displayed when particular request has [2] Rina Elizabeth Lopez De Jimenez,”Pentesting on
been blocked or IP address has been banned on the Web Applications using Ethical Hacking”,ITCA
server. FEPADE,La Libertad,30 June 2016.

[3]J.Jemmi Hazel and Dr. P.Valarmathie,”Guarding

Web Application with multi-angled attack
detection”,(ICSNS),25 Feb 2015.

[4] Mir Saman Tajbakhsh and Jamshid Bagherzadeh,”A

sound framework for Dynamic prevention of Local File
Inclusion ”, 7th International Conference on Information
and Knowledge Technology,2015.

[5]Natasa Suteva and Mario Loleski,”Computer

Forensic Analysis Of some Web
Attacks”,(WorldCIS),2014

Volume: 3 Issue: 2 April - 2018 99

[6]Mr.R.Priyadarshini and Mr.Jagadiswaree,”A Cross 21st International Symposium on Software Reliability
Platform Intrusion Detection System using Inter Server Engineering , 2010
Communication Technique”, IEEE-ICRTIT 2011 MIT,
Anna University, Chennai. June 3-5 2011 [8]Hugo F.Gonzalez and Robeldo,”Types of Hosts on
Remote File Inclusion (RFI)”, Electronics, Robotics and
[7]Jose Fonseca, Macro Vicira and Henrique Madeira, Automotive Mechanics Conference, 2008
”The Web Attacker Perspective-A Field Study”, IEEE

Volume: 3 Issue: 2 April - 2018 100