Web Server Local File Inclusion Activity Detected
Detection of potential Local File Inclusion (LFI) activity on web servers through HTTP GET requests attempting to access sensitive local files via directory traversal or known file paths, potentially leading to information disclosure and system compromise.
This rule identifies potential Local File Inclusion (LFI) attempts against web servers. LFI is a vulnerability that allows attackers to read arbitrary files on a server, potentially exposing sensitive information such as credentials, configuration details, and source code. The detection focuses on HTTP GET requests containing directory traversal sequences (e.g., ../../../etc/passwd) or direct attempts to access sensitive files (e.g., /proc/self/environ, web.config). The rule covers various web servers including Nginx, Apache, Apache Tomcat, IIS, and Traefik. It aims to detect initial reconnaissance and exploitation attempts targeting common configuration files and system information. Successful exploitation can lead to credential access and further system compromise. This rule was last updated on 2026/04/10 and requires Elastic stack version 9.2.0 or higher.
Attack Chain
- The attacker identifies a web application with a potential LFI vulnerability.
- The attacker crafts a malicious HTTP GET request containing directory traversal sequences (e.g.,
../../../etc/passwd) within a URL parameter. - The web server processes the request, and due to the LFI vulnerability, attempts to read the file specified by the attacker's input.
- If successful, the contents of the targeted file (e.g.,
/etc/passwd,web.config) are included in the HTTP response. - The attacker analyzes the response to extract sensitive information, such as user credentials, API keys, or database connection strings.
- The attacker may leverage the gathered information to escalate privileges or move laterally within the network.
- The attacker may attempt to read
/proc/self/environto gather environmental variables, potentially revealing further sensitive information. - The attacker uses exfiltrated credentials to gain unauthorized access to other systems and resources.
Impact
Successful LFI exploitation can lead to the disclosure of sensitive information, including system credentials, configuration files, and potentially even source code. This could allow attackers to gain unauthorized access to systems, escalate privileges, or compromise sensitive data. Exposed credentials from configuration files (like wp-config.php, web.config, or applicationhost.config) can be used to compromise databases, APIs, and other critical infrastructure. In severe cases, attackers might be able to achieve remote code execution by exploiting further vulnerabilities based on the information gathered through LFI.
Recommendation
- Deploy the Sigma rule
Web Server Local File Inclusion - Directory Traversalto detect attempts to use directory traversal sequences in HTTP GET requests. - Deploy the Sigma rule
Web Server Local File Inclusion - Sensitive File Accessto detect direct attempts to access sensitive files. - Review web server access logs for HTTP GET requests with a status code of 200 and containing directory traversal or sensitive file paths (as described in the Overview).
- Implement input validation and sanitization measures to prevent LFI vulnerabilities in web applications. Specifically, canonicalize input, reject ".. "segments, enforce whitelists, and disable
allow_url_include/allow_url_fopenin PHP. - Configure web servers to restrict access to sensitive files and directories (e.g.,
/etc,/proc,/var/log,/inetpub) by returning a 403 Forbidden error. - Monitor web server error logs for include/open stream warnings related to attempted file access, as mentioned in the investigation guide.
Detection coverage 3
Web Server Local File Inclusion - Directory Traversal
mediumDetects attempts to exploit Local File Inclusion vulnerabilities through directory traversal sequences in HTTP GET requests.
Web Server Local File Inclusion - Sensitive File Access
highDetects attempts to access sensitive files via HTTP GET requests, indicative of Local File Inclusion exploitation.
Web Server Local File Inclusion - Protocol Wrappers
highDetects attempts to use protocol wrappers in HTTP GET requests, indicative of Local File Inclusion exploitation.
Detection queries are available on the platform. Get full rules →