Difference between revisions of "Testing for Local File Inclusion"

From OWASP
Jump to: navigation, search
(Page created)
 
(Brief summary (wiki) added)
Line 3: Line 3:
 
== Brief Summary ==
 
== Brief Summary ==
 
   
 
   
Here comes Brief Summary about File Inclusion vulnerability
+
File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
 +
 
 +
*Code execution on the web server
 +
*Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
 +
*Denial of Service (DoS)
 +
*Sensitive Information Disclosure
 +
 
  
 
== Description of the Issue ==
 
== Description of the Issue ==

Revision as of 13:21, 14 September 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Brief Summary

File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure


Description of the Issue

Why is it so bad

Black Box testing and example

Black box

Gray Box testing and example

Gray box

References