OWASP Periodic Table of Vulnerabilities - Remote File Inclusion
Remote File Inclusion
Root Cause Summary
The application loads data from an attacker-controlled resource at runtime, enabling a variety of malicious activities. Either the source address or the resource itself (or both) may be under the attacker's control.
Browser / Standards Solution
Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access.
The standard should provide support for the following content types:
- 3rd-party images
- Active content such as Flash, Applets, ActiveX or other OBJECT content
- IFRAMEd content
- 3rd-party SCRIPT
The standard should allow for the content to be safely rendered in both of the following scenarios:
- The content is loaded by the browser after the containing page is fully constructed by the web server.
- The content is embedded in the containing page by the web server before it is served to the browser.
Generic Framework Solution
Provide a configurable white list of 3rd-party domains which are allowed to serve inline content, and block file inclusion from all other domains.
Provide a proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
This issue is closely related to Weak Authentication Methods, which allows malicious third parties to trick users into giving away login credentials. The standards solution is also closely related to Cross-Site Scripting.