Remote URL Inclusion

Description

Remote URL Inclusion (RUI) is a vulnerability that allows an attacker to include a remote URL, exploiting dynamic URL inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

In a Remote URL Inclusion issue, the server fetches the remote URL and includes the content of the remote file in the response. The application might execute the content of the file if it contains codes. This allows attackers to run arbitrary codes on the server. Furthermore, this causes a Server-side request forgery issue.

Recommendation

To mitigate RUI vulnerabilities, avoid passing user-submitted input to URL inclusion mechanisms. If unavoidable, maintain an allow list of trusted URLs that may be included, using an identifier to access selected resources. Reject any request with an invalid identifier to eliminate attack surface.

References

• OWASP: Testing for Remote File Inclusion
• Wikipedia: File inclusion vulnerability
• CWE-20
• CWE-918
• CWE-98
• CAPEC-193
• OWASP 2021-A10
• OWASP 2021-A3

Related Issues

• Remote File Inclusion - Vulnerability
• Remote File Disclosure - Vulnerability
• Local File Inclusion - Vulnerability
• CRLF Injection in URL - Vulnerability

Tags:

File Inclusion

SSRF

Injection