File Inclusion / Directory Traversal

File Inclusion / Directory Traversal  Medium

File Inclusion is a common web application vulnerability, which can be easily overlooked as part of a web application's functionality.

Created by mrb3n
Co-Authors: ippsec, MinatoTW

To start this course Sign Up!

Summary

This module introduces the fundamentals of file inclusion vulnerabilities. Web applications often present a large attack surface, and as information security professionals, it is important to understand common attacks against a variety of frameworks and server-side languages. A successful file inclusion attack may result in sensitive data exposure (such as configuration files containing credentials) or even remote code execution.

In this module, we will cover:

  • An intro to file inclusion vulnerabilities
  • Local File Inclusion (LFI)
  • Path Traversal
  • Bypassing basic LFI restrictions
  • LFI to remote code execution (RCE)
  • Remote File Inclusion (RFI)

This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or your own virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

  • Networking Fundamentals
  • Linux Fundamentals
  • Web Requests

Sections

  • File Inclusion
  • Local File Inclusion
  • LFI to Remote Code Execution (RCE)
  • Other PHP Wrappers
  • Remote File Inclusion (RFI)
  • Hardening Tips
  • Skills Assessment - File Inclusion/Directory Traversal
To start this course Sign Up!