Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Remote File Inclusion (RFI) highighted in new trending analysis

11 May, 2011
The Imperva Hacker Intelligence Initiative (HII) has turned the tables on the hacking community by delving into their
cyber-underground lair to provide analysis of the trending hacking techniques and interesting attack campaigns from the past month.

The first, of what will be a monthly inside scope, looks at an attack which usually flies under the radar – Remote File Inclusion (RFI).


Amichai Shulman, Imperva’s co-founder and CTO, believes, “Although these attacks have the potential to cause as much damage as the more popular SQL Injection and Cross-Site Scripting (XSS) attacks, they are

not widely discussed and they need to be!”


Speaking about the attack format itself, Amichai explains, “Remote File Inclusion (RFI) is an attack that targets the computer servers that run web sites and their applications.  RFI usually exploits the PHP programming language - used by many large firms including Facebook and SugarCRM. RFI works by exploiting applications that reference files hosted on different servers and, as PHP doesn’t properly

sanitise the input to these requests, an RFI attack replaces these references with links to websites that are under the attacker’s control and can be used for temporary data theft or manipulation, or for a long term takeover of the vulnerable server.”


Amichai provides the following advice, “The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web application. From our observations, it is apparent that can we can improve the detection and blocking of such attacks by creating a blacklist of attack sources and a black list of URLs of remotely included malicious scripts. By having advanced knowledge of RFI attack sources allows the WAF to block an attack before it even begins. By creating a blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications. Finally, the blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.”


Imperva's HII has documented examples of automated attack campaigns launched in the wild. This report pinpoints their common traits and techniques, as well as the role blacklisting can play in mitigating them and can be viewed by visiting blog.imperva.com.

Bookmark and Share