LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

File Upload se kuch hatke : File Inclusion aur Path Traversal Vulnerabilites

4 months ago 38
BOOK THIS SPACE FOR AD
ARTICLE AD

Yash Virendra Prajapati

Swagat hai dosto, aaj ke blog post mein 🙏. Ye hamari Hinglish series ka 2nd post hai, agar aapne hamara pehla post miss kiya hai to aap use yaha se access kar sakte hai.

https://medium.com/@yashprajapati791/web-cache-deception-how-just-visiting-a-url-can-cache-your-sensitive-information-d53b9f4171b8

File agar pehla shabd ho to har penetration tester ke dimaag mein ek hi vulnerability aayegi….Arbitrary File Upload attacks. Lekin aaj hum baat karenge specifically “File Inclusion Attacks” ke bare mein aur saath hi jaanenge Path Traversal Vulnerability ke baare mein.

File inclusion ek prakar ki security vulnerability hai jo kisi bhi web applications mein ho sakti hai. Is attack mein attackers file inclusion mechanism ka galat istemal karke unauthorized files ko include karne ki koshish karte hain.

File inclusion attacks web applications ke liye ek serious threat hote hain, jahaan attackers insecure file inclusion mechanisms ka istemal karke sensitive data tak pahunch sakte hain ya phir server par malicious code execute kar sakte hain. Ye attacks ki generally do categories hoti hain: Local File Inclusion (LFI) aur Remote File Inclusion (RFI).

Local File Inclusion (LFI): Is attack mein attackers local system ke files ko application mein include karne ki koshish karte hain. Ye files normally application ke liye accessible nahi hone chahiye, jaise ki configuration files, system files, ya dusre users ke private data. Attackers LFI ka istemal karke directory traversal techniques ka upyog karte hain tak ki wo application ke security boundaries ko breach kar sakein.

Remote File Inclusion (RFI): RFI mein attackers kisi external server ya domain se files ko application mein include karne ki koshish karte hain. Ye files normally application ka hissa nahi hote hain aur attackers unka istemal karke server par malicious scripts ko execute kar sakte hain, jo application aur uske users ke liye khatarnak ho sakta hai.

Aksar beginners ko File Inclusion aur Path Traversal mein confusion hoti hai, jiski wajah se bug bounty milne mein dikkat hoti hai.

File Inclusion vs. Path Traversal Vulnerabilities

Ek simple analogy ke through samjhate hain: jab kisi URL mein directly manipulation karke server files ka data expose kiya jaata hai, jaise ki

https://redacted.com/Dashboard..%2F..%2F..%2F..%2Fetc%2Fpasswd

to ise Path Traversal ya File Path Traversal Vulnerability kaha jaata hai. Yahan attacker /etc/passwd file ko retrieve karne ki koshish kar raha hai.

Wahi agar URL mein koi parameter ho jo kisi file ko server se fetch karva raha hai, jaise ki

https://redacted.com/userProfile?ProfilePicture=image.png

aur attacker us image file ke andar malicious code inject karke sensitive information ko retrieve karne ki koshish karta hai, to ise hum File Inclusion Vulnerability kehte hain.

File inclusion attack successful hone ke liye kuch zaroori conditions hoti hain:

Vulnerable Code: Application mein insecure file paths ya improper input validation hona.Attacker Control: Attacker ko include hone wale file ki location ya content par control hona chahiye.

File inclusion attacks se bachne ke liye kuch practices hain jo developers apnaate hain:

Input Validation: User input ko strict tareeke se validate karna, specially paths aur filenames ke liye.Whitelisting: Sirf trusted aur authorized files ya directories ko include karne ki permission dena.Use of Frameworks: Secure frameworks ka upyog karna jo file inclusion ko secure tareeke se handle karte hain.

Agar aap apne web application ko file inclusion attacks se protect karna chahte hain, to yahaan kuch upaay hain jo aap apna sakte hain:

Sanitize User Input: User input ko sanitize aur validate karein taki kisi bhi malicious path ya filename ko include na kiya ja sake.Use Whitelisting: Sirf trusted directories ya files ko include karne ki permission dein, aur baaki sabko block karein.Apply Principle of Least Privilege: Application ko minimum permissions de taki agar koi file inclusion attack hua to bhi damage kam ho.Regular Security Audits: Apne code aur application par regular security audits aur vulnerability scans karwayein taki koi naye vulnerabilities ka pata chale aur unhe fix kiya ja sake.

File inclusion vulnerability se exploit karke attackers kai tarah ke activities kar sakte hain:

Sensitive Data Access: Sensitive files jaise ki configuration files, log files, database connection details tak access kar sakte hain.Remote Code Execution (RCE): Remote files ko include karke attackers malicious code execute kar sakte hain server par.Information Disclosure: Application ke internal structure ya confidential information ko expose kar sakte hain.

File inclusion attacks web applications ke liye ek critical security concern hai jo proper validation, secure coding practices, aur regular security audits ke through prevent kiya ja sakta hai. Developers aur security professionals ko hamesha application security ko prioritise karna chahiye taaki aisi vulnerabilities se bacha ja sake.

Umeed hai ki aapko ye detailed overview “File Inclusion Attacks” ke baare mein samajhne mein madadgar sabit hua. Agar aapka koi sawal ya sujhav hai, toh niche comment karein. Dhanyawad! Aap chahe toh mujhe kisi aur vulnerability ke baare mein bhi bataye, main uspe bhi jaldi se blog publish karne ki koshish karunga aur mera ye prayatna rahega ki har 10–11 din mein is series ka 1 blog mein aap tak pohoncha saku.

Read Entire Article
  3. File Upload se kuch hatke : File Inclusion aur Path Traversal Vulnerabilites

Related

VOIP Penetration Testing Checklist

VOIP Penetration Testing Checklist

Automating the Setup of a Bug Bounty Toolkit

Automating the Setup of a Bug Bounty Toolkit

Microlise Data Breach Confirmed: SafePay Ransomware Group Claims Responsibility ️

Microlise Data Breach Confirmed: SafePay Ransomware Group Claims Responsibility ️

Bangkok Busts High-Tech SMS Scam Operation

Bangkok Busts High-Tech SMS Scam Operation

Finastra Data Breach: What Financial Institutions Need to Know ️

Finastra Data Breach: What Financial Institutions Need to Know ️

SSRF To Internal Data Access Via PDF Print Feature

SSRF To Internal Data Access Via PDF Print Feature

Trending

1. Pakistan
2. Realme GT 7 Pro
3. Preamble
4. Spotify
5. PAN 2.0 Project
6. Indian Constitution Day
7. Sarfaraz Khan
8. 26/11
9. Eknath Shinde
10. Al Nassr

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved