Cyber Security Interview Prep. Q12: "LFI and RFI"

Category: Red Team

Question: What is the difference between LFI and RFI? How can attacks that exploit these vulnerabilities be prevented?

Both of these are web application vulnerabilities that may be present on websites. Local File Inclusion (LFI) is the less dangerous one, though certainly not harmless. This is when a website does not sanitise user input, which a malicious user can take advantage of by using local files (files on the machine the web server is hosted on) to execute malicious scripts. This could allow an attacker to do many things. Two examples:

1) Attacker may be able to read sensitive information they shouldn't have access to.

2) Attacker may be able to gain control of the entire server the website is running on.

Since the files that can be used to carry out malicious tasks are restricted to the ones on the victim's local machine, LFI is not as harmful as it's more dangerous cousin.

Remote File Inclusion (RFI) is the really bad one. It works in a similar way to LFI, however in this case, the files that can be used to carry out malicious actions can be from outside the local machine being attacked. This is much worse, as an attacker can use a much wider range of files to try and exploit this vulnerability as they are not restricted to only local files.

For example, an attacker may write a script for exactly what they need, save it to their own attack machine, and then use RFI to remotely call on that file to execute malicious actions on the target. Attacks that use RFI can lead to many adverse outcomes, one of the worst being a complete takeover of the system that was running the web server.

Remediation and Countermeasure

LFI and RFI are both vulnerabilities that arise as a result of poorly written websites. Developers should be encouraged to sanitise user input wherever they can so that unintended input cannot be used to expose and exploit these vulnerabilities. For example, preventing the use of certain symbols and characters for various input fields will make it much harder for an attacker to carry out directory traversal using LFI.

For more security, a web application firewall (WAF) could be used in addition to secure coding practices for developed websites. This will filter out potentially malicious traffic and reduce the chances of LFI and RFI based attacks. Better firewalls will likely mean a more secure the site.

Further Reading:

Difference between RFI and LFI (cloudbric.com)