Difference between revisions of "Testing for Local File Inclusion"

From OWASP
Jump to: navigation, search
(Page created)
 
(Brief summary (wiki) added)
Line 3: Line 3:
 
== Brief Summary ==
 
== Brief Summary ==
 
   
 
   
Here comes Brief Summary about File Inclusion vulnerability
+
File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
 +
 
 +
*Code execution on the web server
 +
*Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
 +
*Denial of Service (DoS)
 +
*Sensitive Information Disclosure
 +
 
  
 
== Description of the Issue ==
 
== Description of the Issue ==

Revision as of 12:21, 14 September 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Brief Summary

File Inclusion vulnerability allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure


Description of the Issue

Why is it so bad

Black Box testing and example

Black box

Gray Box testing and example

Gray box

References