Preventing File Inclusion Attacks on Website
P.S.Sadaphule, Utkarsha Dhande, Priyanka Kamble, Sanika Mehre, Rashmi Savant
sadaphule.compdept@gmail.com, utkarshadhande13@gmail.com, piukamble1249@gmail.com, sanikamehre@gmail.com,
sawant.27.rashmi@gmail.com
Computer Engineering, AISSMS’s IOIT, Pune
Abstract — People use internet to communicate
with one another. Without internet, it would be both
more expensive and slower to maintain personal and
professional relationships. Many people use internet
to enjoy themselves and to engage in personal
interests. However, there are many security threats
people come across which may be viruses, worms, file
inclusion etc. So, to provide security to web
applications and preventing root shell access and
admin passwords is the main challenge. In previous
survey, we have studied on security threats such as
remote file inclusion and local file inclusion. Also, we
have mentioned different prevention techniques such
as Digital Signature, File size verification,
Sanitization of input and Dynamic allocation to
prevent website attacks. In this paper we have
implemented these techniques by using methods such
as MD5, SHA256. The expected outcome will be
achieved by using these methods, providing security
to the websites from RFI and LFI attacks.
Keywords- Local File Inclusion attacks, Prevent
vulnerability, Remote File Inclusion Attacks, Security
INTRODUCTION
Human beings relay on websites and web
applications for most of the things and transactions. On
the other hand as the usage of the web application
increases so as maintaining security to such applications
become more complex but the important and essential
aspect. Such applications are used frequently which
produces high risk of getting affected by attackers ,by
exploiting the vulnerabilities between them.
Vulnerabilities or weaknesses found in web site
causes loss of important data of website of an
organization which further can cost to an organization in
critical way and hence it may reduce or harm reputation
of an organization. This kind of vulnerabilities provoke
attacker to have an unauthorized access to the back end
Volume: 3 Issue: 2 April - 2018
database , shell and other important confidential files of
the site via front end web application.
PHP is Hypertext Preprocessor; because of its
prevalent and easy to develop web application the
vulnerabilities found in codding of website and also
because of careless use of functions in PHP language
web sites becomes unsecured. Better use of proper GUI
to communicate with clients in better way may cause to
build a better website.
Most of the time website are altered by
vulnerabilities like SQLi, LFI, RFI & XSS. In this survey
we only focus on two main vulnerabilities which are LFI
and RFI. Existence of vulnerabilities in web application
represented if web application has some codes that will
dynamically refer to an external script .Where as LFI
attacks occurred when file is injected into site present
already in web application. The main purpose is to
exploit function to upload malware (backdoor shell) in
application.
OBJECTIVE
The objective of this paper is to prevent the web
site from various malicious attacks of RFI & LFI by
using PHP language & CSS. Also preventing
information theft and to prevent content modification in
web site and hence building trust with the customers.
LITERATURE SURVEY
There are many of researches done on various
web vulnerabilities which comes under Semantic URL,
Cross-Site scripting, Cross-Site Request forgery, etc.
This system comes under Semantic URL means such
attacks involve a user modifying the URL discover mode
to perform various actions which are not originally
planned to be handled by server[2]. Survey found
reviews on various vulnerabilities such as RFI, LFI,
SQLi, Query string attacks[1][3][4][5][6].
Also, Studied various methods used for
exploitation, testing areas and security method and tools
including different algorithms which are being
95
used[1][2][3].For preventing from the LFI attack also the
various vulnerabilities and methods of LFI attacks[4].For
studying more about RFI attack we have studied the RFI
botnet[8].To learn more about attackers perspective and
why attacker choose RFI type of vulnerability we have
studied different types of exploits and learnt how the
attacker gains root shell access and admin passwords[7]
In paper [1] The reachers focuses on this paper LFI
based RFI and SQLi attacks ,then to prevent this attacks
confidential and sensitive data such that root user
,password ,SSH login credential are disclosed by the
system. In this paper to learn different methods such that
get method and post method used for exploitation. This
paper introduces security features which developers
usually design data processing technology through HTTP
POST method. Different files which are stored in
different directories for security purpose. For system
security also studied different methods which are apply
for exploitation and security. LFI and RFI attacks system
concentrated on it. LFI is web application attack which
allow user to include different files located in web
application on server machine. RFI is one of the attack in
website by remotely handled and access any type of user
machine. The paper [2] mainly studied for various
testing strategies and types of testing. Also focuses on
the knowledge of the technique pen testing on website,
discusses the different phases ,in this attack victims and
upgrades software tools to make the penetration test.
Pentesting means a safety test with a specific objective
for evaluating systems. Its the set of safety test with
detector objective, after achieving the goal ID is
terminated. This paper refer for different types of
security entities such that authentication, authorization,
integrity and availability. Also in common attacks which
are used such as semantic URL, cross site scripting,
HTTP request counterfeited and attacks through the
database. From this system understood that RFI and LFI
attacks comes under semantic URL method. The paper
[3] protects the front end web applications from
unauthorized access. Website front end and database is
back end it can be accessible through web browser.
Vulnerability scanner is used for front end. This paper
focuses on design of web application , detection and
prevention of attacks which are RFI ,query string attacks
,cross site scripting attacks and union attacks. It
overcomes by applying different algorithms such as
longest sub sequence algorithm and brute force string
matching algorithm. The aim is to develop a web
application-bot admin and user credentials ASP.net and
system also refer how to provide website authentication.
This paper [4] mainly focuses on LFI vulnerability. The
local file access is done by manipulating the user IP. LFI
attack are null byte poisoning, log poisoning, malicious
image upload, self file in linux environment and
alternate log poisoning .In this paper system understand
the LFI Vulnerability is prevented from root cost analyze
source code and defeat attack sanitization. From this
Volume: 3 Issue: 2 April - 2018
paper to understand the importance of sanitization and
how it i used as a prevention method. AntiLFIer is used
for prevention which allows access to only the trusted
file. Prevention method checks whether file is trust full
or not. This paper[5] done the different types of attacks
and analysis on such attacks are mentioned
.Vulnerability scan carried out in 2013 by semantic
website vulnerability assessment services found that 77
percent of site are vulnerable. Many organization are
losing their reputation because of the vulnerabilities
found in websites. In this paper concentrate on
prevention methods performed after executing attack on
user's machine. This paper attack scenario o the known
vulnerable websites WAckoPicko of three types of
attacks -SQL Injection stored XSS and Remote File
Inclusion. In this application has 10 vulnerability
accessible without authentication. In forensics expertise
there are mail three phases acquisition, analysis,
presentation. The purpose of the system in this paper [6]
is to detect and prevent against malicious attacks over
the developers Website written in programming
languages like PHP,ASP.net and ASP also, it creates
native language API through which transaction and
interactions are sent to IDS server through inter server
communication mechanism. IDS server developed from
PHPPIDS. Base of PHPIDS is PHP intrusion detection
system which is mean to be used as server site tool. In
this paper to detect and prevents attacks such that SQLi
,LFI,RFI and XSS types of attacks. By using WAPT
algorithm to analyze the attacks is done with the help of
this to record the activities of website and examine the
suspicious behavior. Hacker constantly attacks on
website so in this paper [7] field study which is
presented on the attacker perspective is looking over real
exploits used by hackers to attack website .SQL
injection and remote file inclusion are two most
frequently used attacking techniques by hacker because
attacker prefer easier techniques than complicated. Root
shell and the admin password are the main aim of
attacker to obtain the this entity because its easily attack
on website. website exploits may be simple as a specially
crafted URL or as complex as an automated program
with hundreds of lines of code that can be executed and
completed .This paper field analyses the attacks of six
widely used and well known web applications like PHP-
Nuke, drupal, PHP-fusion, wordpress php MyAdmin and
phpBB. The paper [8] covered attacking methods like a
Remote File Inclusion, Cross Site Scripting and code
Inclusion. The ethics of attack or attackers are RFI .In
botnet RFI attacks involved and the attacker are web
promised. Domain name, content and dynamic IP
address by using this vulnerable web sites are done.
Attacker are hosted the hoster which is the host that have
web server or FTP server by using some tools .In this
paper to highlight the RFI attacks which include another
internet site or directories in the same hard drive ,this is
big advantage for the coder and it neglect result which
96
can be in successful attack point and compromising of
the host.
PROPOSED METHODOLOGY
LFI is an inclusion attack ,where attacker exploit the
functionalities which dynamically includes the scripts
and the files. The LFI attacks takes place/happens when
the attacker gets the path to the file which is to be
included as the input .This local file is allowed to put in
the ‘include’ statement/request. The result of this LFI
attack incorporates Directory Traversal and Information
Disclosure.Following is the example which is
vulnerable to LFI:
$file = $_GET[‘file’];
include(‘directory/’,.$file);
Suppose we have the URL as:
http://localhost/file.php?command=xyz.php instead of
xyz.php we can enter any of the file name we want.
So here if we want any file content we can change it as:
http://localhost/file.php?command=../../apache/conf/http
d.conf
Similarly we can retrive the content of any file on file
system.
One mitigation for LFI is simply change the settings in
php.ini file, uncomment it and set as follows:
open_basedir =c:\\xamp\\htdocs, ,and save the
configuration, which means if anyone want to access
the file usin the include() method, it checks the location
of the file, the php refuses to access the file ,as it is
present outside the specified directory-tree. The
application can create a whitelist of files which can be
included in order to avoid the the inclusion of file by
attacker.
RFI is Remote File Inclusion . The Php running
websites, are often vulnerable to the RFI type of attack.
The attacker can include a file remotely through a script
on Web Server. The possibility of this attack can be
due to the user input without any proper validation.
The attacker can contrivance the application to execute
a malicious code which the attacker can upload on the
web servers ,it can be through webshell. The attack can
be done by the use of the user supplied input without
any proper validations .Once the webshell is being
Volume: 3 Issue: 2 April - 2018
included the attacker can get access to the remote
servers.
This kind of attack can be avoided/prevented by not
making the use of any arbitrary input data in the file
include request or simply disable the allow_url_include
from the php ini file on the php running server.
This attack can be very destructive and can create alots
of complications.
Steps for Vulnerable site:
Step-1: Site on which attacker tries to attack:
In this stage, Security is not provided to the site.User is
free to access the site.
Step 2:Attacker gets shell access:
When the user tries to get access on this site he is able
to get root shell access over server.
Step-3: Security of website get compromised:
As no security is provided security of website gets
compromised and attacker has control over all the
confidential information.
Steps for Secured site:
Step-1:Attacker tries on site which is secured by
security API :
This is the site on which our security API works.
When attacker tries to attack on the site, the code
gets verified.
Step-2:Attackers URl/code gets verified:
In this stage, all the prevention techniques are used
to verify the user`s URL/code.
a) Dynamic Allocation Prevention method
Every page has entry stored in theHash table. In
Dynamic allocation method; these entries get
matched with the page which is dynamically
entered. If both the entries get matched, user is
allowed to procced .Else access denied for the
user. This is the simplest kind of prevention
method.
b) Sanitization of Input Prevention Method
Validation checks if the input meets a set of
criteria. In Sanitization, it modifies the input to
ensure that it is valid. So, in this method the
contents are getting filtered and only the
Sanitized code will be executed. This method is
most promising as it allows only the non-
vulnerable code to be executed ignoring all the
vulnerabilities of it.
c) Digital Signature Prevention Method
A Digital Signature is a mathematical scheme
for validating the authenticity of Digital
message or document. In Digital Signature
97
 ,every page entered into hash table has provided
an unique ID. If ID gets matched the user is
allowed to proceed.
d) File size verification Prevention Method
File size verification is a process of using an
algorithm for verifying the integrity of file. In
File size verification the input of file size is
compared , this can be done by comparing two
files bit by bit. But the only problem with this
method is, once in a while the file size can be
matched though there are least chances of it. If
we put the file size in bytes then there will be
less chances of getting matched with the same
file size.

Step-3: System`s Actions after Verifying code :

Here, the system takes an action after verifying the
code. User get access to website if he is valid user.If the
user is not valid user`s IP address will be blocked for
next 24 hours.
Step-4 : User IP Add blocked forever :
Even after 24 hours user tries to gain access site and if
it is invalid and vulnerable code then it is considered as
the User is an attacker and purposefully he is trying to
attack the site. Here in this case the Attackers IP
address will be blocked forever

SYSTEM ARCHITECTURE

This architecture consists of mainly two
scenarios, the first scenario shows how exactly attack is
performed by attacker. The second scenario shows, how
system response when attacker tries to attack , and how it
prevent from attacks by implementing prevention
methods and what actions will be taken on attacker.
The below architecture shows detailed working
of proposed system.
Basically there are two scenarios which
explains the total working of the model. In first scenario,
Attacker tries to inject malicious code into the page
remotely. He might try to include the file or say code,
where the code is vulnerable. After finding such
weakness from the page the attacker is free to attack on
the site , if attacker tries to include .php file into such
place he will be succeed to have control on the server as
the PHP code compiled directly from the server. Such
kind of code is known as shell. In this scenario the
attacker gains shell access.
Figure 1. Intrusion Detection and Prevention Architecture
In second scenario, it is shown how the system
reacts when any user tries to access the particular site.
Firstly, it will check for the prevention methods. It will
compare the code or URL with each of the prevention
method, if the data is non vulnerable, user is allowed to
access the site. If the URL is vulnerable then the user is
not allowed to access the site as well as it might be
considered as an attacker and alert message sent to
server site. So, the attacker`s IP address will be blocked
for 24hrs and the site will be secured. It might be
possible that the URL which we are considering
vulnerable is accidently put by the user. That’s why users
or we can say attackers IP has been blocked for 24hrs
only. But, if the user/attacker retries to put such
incorrected URL it is considered that he is trying to put
malicious code on the site to harm the site or to gain
unauthorized control. So in this case, attackers IP is
blocked forever.

Volume: 3 Issue: 2 April - 2018 98

 RESULTS

This is the initial configuration page.

Fig: System Initialization page Fig:Access denied page

This page contains the actual machanisam of blocking

and unblocking all the unwanted requests and all the
logs related to previous attacks.
CONCLUSION
In this paper, the purpose is to provide
prevention to website by various malware attacks. The
attacks performed using LFI and RFI techniques has
been prevented by this web application using different
prevention methods like Dynamic Allocation method,
Digital Signature method , verification of input and File
Size Allocation , which provides security to the web
site.

Fig: Dashboard
REFERENCES
[1 ] Afasana Begum and Md. Maruf Hassan,”RFI and
SQLi based Local File Inclusion Vulnerabilities in Web
Applications”,International Workshop on
Computational Intelligence(IWCI),12-13 Dec 2016.

This page will be displayed when particular request has [2] Rina Elizabeth Lopez De Jimenez,”Pentesting on
been blocked or IP address has been banned on the Web Applications using Ethical Hacking”,ITCA
server. FEPADE,La Libertad,30 June 2016.

[3]J.Jemmi Hazel and Dr. P.Valarmathie,”Guarding

Web Application with multi-angled attack
detection”,(ICSNS),25 Feb 2015.

[4] Mir Saman Tajbakhsh and Jamshid Bagherzadeh,”A

sound framework for Dynamic prevention of Local File
Inclusion ”, 7th International Conference on Information
and Knowledge Technology,2015.

[5]Natasa Suteva and Mario Loleski,”Computer

Forensic Analysis Of some Web
Attacks”,(WorldCIS),2014

Volume: 3 Issue: 2 April - 2018 99

[6]Mr.R.Priyadarshini and Mr.Jagadiswaree,”A Cross
Platform Intrusion Detection System using Inter Server
Communication Technique”, IEEE-ICRTIT 2011 MIT,
Anna University, Chennai. June 3-5 2011
[7]Jose Fonseca, Macro Vicira and Henrique Madeira,
”The Web Attacker Perspective-A Field Study”, IEEE
21st International Symposium on Software Reliability
Engineering , 2010
[8]Hugo F.Gonzalez and Robeldo,”Types of Hosts on
Remote File Inclusion (RFI)”, Electronics, Robotics and
Automotive Mechanics Conference, 2008

Volume: 3 Issue: 2 April - 2018 100