Remote URL Inclusion
Description
Remote URL Inclusion (RUI) is a vulnerability that allows an attacker to include a remote URL, exploiting dynamic URL inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
In a Remote URL Inclusion issue, the server fetches the remote URL and includes the content of the remote file in the response. The application might execute the content of the file if it contains codes. This allows attackers to run arbitrary codes on the server. Furthermore, this causes a Server-side request forgery issue.
Recommendation
To mitigate RUI vulnerabilities, avoid passing user-submitted input to URL inclusion mechanisms. If unavoidable, maintain an allow list of trusted URLs that may be included, using an identifier to access selected resources. Reject any request with an invalid identifier to eliminate attack surface.
References
- CWE-20
- CWE-918
- CWE-98
- OWASP 2021-A10
- OWASP 2021-A3
- OWASP: Testing for Remote File Inclusion
- Wikipedia: File inclusion vulnerability