Remote File Inclusion: What It Is, How It Works, and How To Prevent It

What Is Remote File Inclusion?

Remote File Inclusion (RFI) is a type of code injection attack. To carry out remote file inclusion, a hacker inserts a link into a website’s URL that instructs the website to include a malicious file. The word “remote” stems from the fact that the website is sourcing the file from somewhere else.

Local File Inclusion (LFI) is a similar type of cyberattack, with the key difference being that the hacker accesses files that already exist on the website's server. Although together they account for 21% of all known web application attacks, both RFI and LFI are seen as more elementary compared to high-profile cyber attacks, and are therefore often overlooked and underestimated.

How Does Remote File Inclusion Work?

RFI attacks enable hackers to steal data and execute malicious code through the manipulation of a web server or site. In order for a bad actor to execute remote file inclusion, they must first identify a website with vulnerable components via a search engine or scanner. Once the website is identified, the attacker uploads a malicious file that gives them access to the website's resources. There are three ways an attacker can then exploit the site:

• Use malware to delete or deface pages

• Hijack the server, which can compromise several sites

• Steal passwords and information

It is important to note that the vulnerability which enables the remote file inclusion is typically found on websites running on PHP, a scripting language used in web development. More than 70% of websites run on PHP, including Facebook, WordPress, OpenCart, Yahoo!, and Wikipedia—ranging from social platforms to ecommerce sites and more.

Remote File Inclusion Example

While RFI is often seen as less sophisticated by the security community, it can have serious repercussions. A particularly well-known remote file inclusion example was carried out in May of 2011, by a group of hackers who called themselves LulzSec. The group noticed a weakness in Fox.com and infiltrated the site using RFI bots, leaking the profiles and names of 73,000 X Factor US contestants. Soon after, the hackers expanded their attack to other targets. They planted a fake news story at PBS and stole data from 24.6 million of Sony’s PlayStation Network customers.

Remote File Inclusion Prevention

Fortunately, there are measures that web developers can take to implement remote file inclusion prevention. Beyond meticulously writing code to minimize vulnerabilities, the following are some additional steps to take towards remote file inclusion prevention.

• Sanitization: a technique used to recognize and remove potentially harmful user input.

• Validation: testing user input before including or executing it.

• Vulnerability scanning: using commercial or free tools to regularly scan applications for potential vulnerabilities.

• Create a whitelist: maintaining a source of valid file types and text.

• Create a blacklist: identifying publicly known attackers and malicious URLs, as well as those that have already tried to infiltrate your site or server.

• Enable code reviewing: activate the feature on your web application firewall to help spot any vulnerabilities in your code.

Now that you have a better understanding of what remote file inclusion is and how it works, you can take the appropriate steps towards remote file inclusion prevention. For more information on how SiteLock can help with safe web application development, check out our malware removal product or get in touch with us today.