The system must not allow parameter inclusion in directory names or file paths.
A system must not allow the inclusion of directory names or files paths in its parameters. By tampering the fields associated with these parameters, an attacker may access those paths and compromise sensitive information.
It must be assumed that all data inputs are malicious, so whitelisting and escaping should be used to discard any type of data input that is not acceptable (i.e., does not strictly comply with the specifications) or sanitize it.
An attacker may create or overwrite critical files used to execute code, such as programs or libraries. If the target file is used as a security mechanism, then the attacker may surpass that mechanism. This can be done, for example, by adding a new account at the end of a password file to bypass the authentication process.
An attacker may read the content of unexpected files and expose sensitive information. If the target file is used as a security mechanism, then the attacker may surpass that mechanism. For example, by reading a password file, the attacker may perform a brute force attack to obtain valid user credentials.
The attacker may overwrite, delete or corrupt critical files, such as programs, libraries or sensitive information. This may lead to a system failure, and in cases where there are authentication mechanisms, the attacker may block the system access to all users.
- Layer: Application layer
- Asset: Files
- Scope: Confidentiality
- Phase: Construction
- Type of control: Recommendation
CAPEC-11: Cause Web Server Misclassification: An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence.
CAPEC-153: Input Data Manipulation: An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.
CAPEC-165: File Manipulation: An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application.
CAPEC-175: Code Inclusion: An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path traversal'): The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-23: Relative Path Traversal: The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as "".." that can resolve to a location that is outside of that directory.
CWE-36: Absolute Path Traversal: The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
CWE-73: External Control of File Name or Path: The software allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-98: PHP Remote File Inclusion: The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
CWE-641: Improper Restriction of Names for Files and Other Resources: The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.
OWASP Top 10 A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.9): Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.10): Verify that the application protects against XPath injection or XML injection attacks.
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.1): Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal.
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.2): Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI).
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.3): Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF.
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.4): Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.5): Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.
PCI DSS v3.2.1 - Requirement 6.5.1: Address common coding vulnerabilities in software-development processes such as injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.