How dangerous is RFI?

RFI can be very dangerous. Potential consequences range from sensitive information disclosure and cross-site scripting (XSS) to remote code execution (code injection) and, as a final result, full system compromise. Read more about remote code execution attacks that may be the result of RFI vulnerabilities .

The most efficient way to detect RFI is by using an automated vulnerability scanner such as Acunetix. You can of course detect such vulnerabilities through manual penetration testing but it takes a lot more time and resources. Learn how vulnerability scanning and penetration testing should be used together .

To avoid RFI and many other vulnerabilities, never trust user input. If you need to include files in your website or web application code, use a whitelist of allowed file names and locations. Read about best practices for secure coding .

Web Security Zone Archives | Page 15 of 73

Q: What is remote file inclusion (RFI)?

Remote file inclusion (RFI) is a serious web vulnerability. If an RFI vulnerability exists in a website or web application, an attacker can include malicious external files that are later run by this website or web application. Also read about a related vulnerability – local file inclusion (LFI) .

What is Remote File Inclusion (RFI)?

Web Security Zone | April 2, 2020 by Ian Muscat

Using remote file inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential web security consequences of a successful RFI attack range from sensitive information disclosure and…

How to Defend against Black Hat Hackers during the COVID-19 Pandemic

Web Security Zone | March 25, 2020 by Tomasz Andrzej Nidecki

The SARS-CoV-2 coronavirus outbreak and the COVID-19 illness are instrumental for cybercriminals. Both businesses and private users are a major cyberattack target due to chaos and panic that surrounds the coronavirus pandemic. Here is what we believe that organizations should do to maintain a high…

What Are Insecure Direct Object References

Web Security Zone | March 23, 2020 by Tomasz Andrzej Nidecki

Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the…

Apache Security – 10 Tips for a Secure Installation

Web Security Zone | March 16, 2020 by Acunetix

The Apache web server is one of the most popular web servers available for both Windows and Linux/UNIX. At the moment, it is used to host approximately 40% of websites. It is also often described as one of the most secure web servers. In this article,…

How to Recover from a Hacked Website Event

Web Security Zone | March 13, 2020 by Kevin Attard Compagno

Any fellow website owner or webmaster you may ask who is beyond the novice stage will agree that one of their top priorities will always be keeping their websites secure. However, exploits and tools available to hackers are so vast, and software technologies evolve so…

The curse of old Java libraries

Web Security Zone | February 27, 2020 by Aleksei Tiurin

Java is known for its backward-compatibility. You can still execute code that was written many years ago, as long as you use an appropriate version of Java. Thanks to this feature, modern projects use a wide range of libraries that have been “tested by time”…

How We Found Another XSS in Google with Acunetix

Web Security Zone | February 17, 2020 by Andrey Leonov

You have to be a very lazy hacker not to try to find issues in Google. Link and I are not lazy but we may be a bit luckier than most. And we use good tools, which helps. Some time ago, we found an XSS…

Why Malicious Hackers Set Their Sights On Hospitals

Web Security Zone | February 12, 2020 by Samuel Bocetta

If you scan the news headlines, you might be forgiven for thinking that the biggest target of online attackers is financial institutions. Cyber attacks aimed at banks typically gain a lot of press coverage, because everybody likes to think that their money is safe. In…

Session Hijacking and Other Session Attacks

Web Security Zone | February 11, 2020 by Tomasz Andrzej Nidecki

Session IDs are a tasty treat for malicious hackers. Once an attacker gets their hands on a session ID, they can get unauthorized access to a web application and fully impersonate a valid user. In general, there are three primary methods to obtain a valid…

Web Security Zone

Take action and discover your vulnerabilities