Open in app

Sign in

Write

Sign in

Path Traversal vs File Inclusion Vulnerability! How to Tell the Difference?

Chetan Verma
5 min readApr 19, 2023

--

Hello, community! If you’re in the world of web application security, you may have come across the terms “Path Traversal” and “File Inclusion” vulnerabilities. These two types of vulnerabilities are often mistaken for each other, causing confusion for beginners and even experienced security professionals. In this blog post, I’ll explain what file inclusion and path traversal vulnerabilities are, how they differ from each other, and, most importantly, how to tell them apart. Whether you’re a beginner or an experienced security professional, this guide will provide you with a clear understanding of the differences between these two common web application vulnerabilities. Let’s dive into it!

Path Traversal Vulnerability

Path Traversal Vulnerability, also referred to as Directory Traversal, dot-dot-slash, and backtracking, is a security vulnerability found in web applications that can allow an attacker to read arbitrary files on the server where the vulnerable application is hosted. Attackers can exploit this vulnerability to gain unauthorized access to sensitive files on a server, including application source code and credentials for back-end systems. Ultimately, this could result in a complete system compromise.

This vulnerability occurs when web applications do not properly validate user input used to construct file paths to access files. Malicious actors can take advantage of this vulnerability by manipulating user input to traverse directories outside of the intended directory.

Let’s take an example. Suppose there is a functionality in a web application that allows users to download files by specifying the name of the file in the URL. And if the application does not properly validate the user input, attackers can specify a file name that includes “../” or, say, dot-dot-slash, which is used to traverse to the parent directory. By repeating this process, the attacker can traverse to any directory on the file system and access files that should not be accessible.

Below is an example of path traversal vulnerable code:

$document = $_GET['doc'];
$filepath = "/var/www/html/documents/".$document;

if (file_exists($filepath)) {
    readfile($filepath);
} else {
    echo "File not found";
}

This code is vulnerable to path traversal attacks as it concatenates the user-supplied input ($document) to the file path without proper validation. An attacker can easily exploit this vulnerability by supplying a payload such as “../../../../etc/passwd”, which allows them to traverse up the directory hierarchy and access sensitive files on the server. The application should implement proper input validations and access control checks to prevent path traversal attacks.

Source: Portswigger Labs

Here is a real-life example of path traversal vulnerability:
In this HackerOne report, the researcher identified a path traversal vulnerability in a web application which allowed them to access and read sensitive files on the target server.

File Inclusion Vulnerability

File inclusion vulnerability is another type of security vulnerability in web applications which allows an attacker to execute and read arbitrary files on the server where the vulnerable application is hosted. This vulnerability occurs when an application uses a variable that the attacker can manipulate to construct a file path to include the file during runtime. As a result, the attacker can take over the entire server by executing a malicious file under their control.

There are two types of File Inclusion vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

Local File Inclusion (LFI):
An attacker can use this vulnerability to include files stored on the same server as the vulnerable web application. Here, an attacker can leverage this vulnerability to include sensitive files, including configuration files, system files, or other files containing credentials or sensitive data.

Remote File Inclusion (RFI):
In RFI, an attacker can include any arbitrary file from a remote location and execute arbitrary code on the target server. Here, an attacker can leverage this vulnerability to execute malicious code, install malware, or gain unauthorized access to the server.

Below is an example of file inclusion vulnerable code:

<?php
$filename = $_GET['page'];
include('pages/' . $filename);
?>

The above code uses the `include()` function to dynamically include a file based on user input in the `$page` variable. Here, the issue with this code is that it does not properly validate or sanitize the input, which could allow an attacker to manipulate the `$page` variable and include arbitrary files. For example, an attacker could create a URL such as “http://example.com/page.php?page=../../etc/passwd" to include the `/etc/passwd` file, which contains sensitive information about the system. Alternatively, they could include a malicious file to gain complete control of the system with a crafted URL like http://example.com/page.php?page=../../malicious.php.

Source: Secureflag.com

Here is a real-life example of file inclusion vulnerability:
In this HackerOne report, the researcher identified a file inclusion vulnerability in a web application which allowed them to perform remote code execution on the server.

Now, we have an understanding of what path traversal and file inclusion vulnerabilities are. So, we can discuss the key differences between the two and how to differentiate them.

  • Nature of vulnerability: Path traversal vulnerability allows an attacker to read files and directories outside of the intended directory. On the other hand, file inclusion vulnerability allows an attacker to include or, say, execute and read arbitrary files from a remote or local server.
  • Impact on server: A path traversal vulnerability can allow an attacker to access sensitive files and directories on the server, which can lead to data theft, server takeover, or other malicious actions. A file inclusion vulnerability can allow an attacker to execute an arbitrary file on the server, leading to complete server compromise, data theft, or other malicious actions.
  • Severity of vulnerability: Both path traversal and file inclusion vulnerabilities can be severe, depending on the specific implementation and the impact on the server. However, file inclusion vulnerabilities are generally considered more severe because they allow remote code execution.
  • Cause of vulnerability: Both path traversal and file inclusion vulnerabilities can be caused by poor input validation or sanitization and a lack of proper access controls. Path traversal vulnerabilities occur when the application fails to validate user input used to access the file system, while file inclusion vulnerabilities occur when user input is used to include files from a remote or local server without proper validation.

Mitigation for path traversal and file inclusion vulnerabilities is crucial for ensuring the security of web applications. These vulnerabilities can be mitigated by implementing various measures, such as input validation and sanitization, using secure file access methods, restricting access to sensitive files and directories, keeping software and libraries up-to-date, performing regular security audits and penetration testing, and considering using web application firewalls.

If you found this article helpful, please consider giving it a clap and following me on Medium, Twitter, and LinkedIn. Thank you for reading!

Twitter: https://twitter.com/_ch3t4nn

LinkedIn: https://www.linkedin.com/in/ch3t4nn

Path Traversal
File Inclusion
Bug Bounty
Web Security
Penetration Testing

--

--

Chetan Verma

Written by Chetan Verma

24 Followers

Information Security Enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams