Web Server Potential Remote File Inclusion Activity
This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths, potentially leading to information disclosure or further compromise.
This detection rule identifies potential Remote File Inclusion (RFI) attacks targeting web servers. RFI vulnerabilities allow attackers to inject malicious code by including remote files into the web server's application. The rule focuses on detecting HTTP GET requests with a 200 OK status code that contain suspicious URL parameters. These parameters attempt to access sensitive remote files using directory traversal techniques or directly specifying known file paths. This activity can lead to unauthorized access to sensitive information, system information disclosure, or further server compromise. The rule covers web servers like Nginx, Apache, Apache Tomcat, IIS, and Traefik. This activity is important for defenders to detect, as it can lead to significant data breaches and system compromise.
Attack Chain
- Attacker identifies a vulnerable web server endpoint that is susceptible to RFI.
- The attacker crafts a malicious HTTP GET request. This request includes a URL parameter (e.g.,
page=,url=,src=) with a URL pointing to a remote file or IP address controlled by the attacker. The URL can also leverage wrappers likephp://,data://, orfile://. - The victim web server receives the malicious GET request.
- The web server processes the request and attempts to include the remote file specified in the URL parameter.
- If the web server is vulnerable, it successfully fetches the content from the attacker-controlled remote server.
- The attacker's malicious code or script within the included file is executed within the context of the web server.
- The attacker gains unauthorized access to the web server's file system, configuration files, or sensitive data.
- The attacker can then escalate privileges, install malware, or exfiltrate sensitive data.
Impact
Successful RFI attacks can lead to severe consequences, including unauthorized access to sensitive data, system compromise, and potential data breaches. Attackers can leverage RFI to read configuration files, gain access to credentials, and execute arbitrary code on the web server. This could result in the loss of confidential information, disruption of services, or the complete takeover of the affected system. The impact of a successful RFI attack can range from information disclosure to full system compromise, depending on the severity of the vulnerability and the attacker's objectives.
Recommendation
- Deploy the Sigma rule "Web Server Potential Remote File Inclusion Activity" to your SIEM to detect suspicious GET requests containing remote URLs (see rules section).
- Inspect web server logs (Nginx, Apache, Apache Tomcat, IIS, and Traefik) for GET requests with status code 200 containing parameters with encoded URLs or raw IPs.
- Implement and tune WAF rules to block suspicious include parameters (e.g.,
page=,url=, orsrc=) containinghttp://,https://,ftp://,smb://, orfile://. - Restrict outbound connections from web servers to known, trusted domains to prevent exploitation of RFI vulnerabilities.
- Set PHP
allow_url_include=Offandallow_url_fopen=Offin PHP configuration files to mitigate RFI vulnerabilities. - Apply
open_basedirrestrictions in PHP to limit the files that PHP scripts can access.
Detection coverage 2
Web Server Potential Remote File Inclusion Activity
mediumDetects potential Remote File Inclusion (RFI) activity on web servers based on HTTP GET requests with parameters containing remote URLs or raw IPs.
Web Server RFI via URL Encoding
lowDetects RFI attempts where the malicious URL is encoded within the request.
Detection queries are available on the platform. Get full rules →