Data security provider Imperva released its April Hacker Intelligence Report recently that finds remote and local file inclusion attacks was among the four most prevalent web application attacks used by hackers in 2011.
RFI/LFI attacks made up 21 percent of all application attacks observed by Imperva between June and November 2011. In compiling the results, Imperva’s Application Defense Center research arm, the Hacker Intelligence Initiative, analyzed traffic to 40 web applications and categorized them according to attack method.
RFI and LFI attacks take advantage of vulnerable PHP web application parameters by including a URL reference to remotely host malicious code, enabling remote execution, Imperva says. PHP is used across more than 77 percent of applications on the Internet, making these attacks a threat to the majority of online applications, and a concern for web hosting customers that use the PHP programming language.
Many hackers use RFI/LFI attacks to take over a web server, and has been the method of attack behind Lulzsec attacks, and TimThumb, a WordPress plug-in, was vulnerable to LFI and infected 1.2 million websites, according to the report. In an email interview with co-founder and VP of R&D for StopTheHacker, Anirban Banerjee identified third-party add-ons, such as the TimThumb plug-in, as a major malware threat to hosting providers.
“LFI and RFI are popular attack vectors for hackers because it is less known and extremely powerful when successful,” Tal Be’ery, Imperva’s senior web researcher said in a statement. “We observed that hacktivists and for-profit hackers utilized these techniques extensively in 2011, and we believe it is time for the security community to devote more attention to the issue.”
According to the report, LFI is three times more popular than RFI, a figure that Imperva says is aligned with the fact that 90 percent of PHP deployments are of versions that do not allow RFI by default. RFI attacks can be mitigated with reputation-based blacklists.
Since the 10 most active hackers issued more than half of the observed RFI attacks, Imperva says that by forming a community that shares RFI data it could cross-pollinate blacklists of attackers’ IPs from site to site and get a “head start” over attackers.
Mitigation of LFI/RFI attacks requires vulnerability scanning, Imperva says. Security teams should use Google to identify, and remove, traces from their web applications, and use vulnerbility scanner tools to scan applications that highlight potential vulnerabilities. Blacklisting, web application firewall and code fixing are other methods to mitigate LFI/RFI attacks according to the report.
To read the full report, download the PDF from Imperva’s website.
Talk back: What do you think of the results of Imperva’s survey? Do the majority of your customers have PHP sites? Let us know in the comments.