Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
41 views3 pages

Activity

This document provides instructions for an IT activity that involves assessing a website downloaded from a provided link for vulnerabilities. The student is asked to identify any vulnerabilities, define them, suggest countermeasures, take screenshots, and explain how vulnerabilities were discovered. The identified vulnerabilities are local file inclusion and file upload vulnerabilities. Local file inclusion allows attackers to access files on the server, while file upload vulnerability allows malicious files to be injected into the application server. Suggested countermeasures for both include whitelisting, path ID assignment, database storage of files rather than server, and file type/extension/permission validation.

Uploaded by

papayaoffc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
41 views3 pages

Activity

This document provides instructions for an IT activity that involves assessing a website downloaded from a provided link for vulnerabilities. The student is asked to identify any vulnerabilities, define them, suggest countermeasures, take screenshots, and explain how vulnerabilities were discovered. The identified vulnerabilities are local file inclusion and file upload vulnerabilities. Local file inclusion allows attackers to access files on the server, while file upload vulnerability allows malicious files to be injected into the application server. Suggested countermeasures for both include whitelisting, path ID assignment, database storage of files rather than server, and file type/extension/permission validation.

Uploaded by

papayaoffc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Name: Rafael D. Villanueva Jr.

Date: 04/18/2023
Section: BSIT 3-A

ACTIVITY FOR IT-WS04

INSTRUCTIONS: Open your browser and head to this link:


https://github.com/elioth-coder/vulnerability-lfi-upload to download the source code needed
for the activity. Copy and extract the zip file on your c:/xampp/htdocs/ folder then run it on
your browser.
Requirements for finishing the activity:
1. You must survey and asses the website you downloaded for any vulnerabilities.
2. You must identify and define those vulnerability.
3. You must enumerate possible countermeasures or solutions for defending the site from
the said vulnerability.
4. Take a screenshot of the said vulnerability.
5. And explain how you discovered the vulnerability by making the screenshot as the basis,
just like the example below:
6. Save your document with the following file name format: LASTNAME-FIRSTNAME.docx
for example: DELACRUZ-JUAN.docx
Figure 1: Local File inclusion Vulnerability
As you can see on the figure 1, this website is vulnerable in Local File Inclusion attack. By
entering this keyword in the url: ./link of the picture, you will directly located at the file

IDENTIFIED VULNERABILITY: LOCAL FILE INCLUSION VULNERABILITY

DEFINITION OF VULNERABILITY: Local File Inclusion is an attack technique in which attackers


trick a web application into either running or exposing files on a web server. LFI attacks can
expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and
remote code execution. LFI is listed as one of the OWASP Top 10 web application vulnerabilities.

SOLUTION OR POSSIBLE COUNTERMEASURES:


Here are a few ways to prevent LFI attacks:

 ID assignation – save your file paths in a secure database and give an ID for every single
one, this way users only get to see their ID without viewing or altering the path
 Whitelisting – use verified and secured whitelist files and ignore everything else
 Use databases – don’t include files on a web server that can be compromised, use a
database instead
 Better server instructions – make the server send download headers automatically
instead of executing files in a specified directory
As you can see on the figure 2 above, this website is vulnerable in File Upload Vulnerability. The
user can upload different kind of files.

IDENTIFIED VULNERABILITY: FILE UPLOAD VULNERABILITY

DEFINITION OF VULNERABILITY: A file upload vulnerability allows attackers to inject malicious


content into the application server. Also known as an unrestricted file upload, an attack is
triggered by either tricking a victim user into uploading an arbitrary file or by uploading it
directly through a file upload service that does not validate the type of file used.

SOLUTION OR POSSIBLE COUNTERMEASURES:

How To Avoid File Upload Vulnerability:


 Always check the extension of files with their case sensitivity.
 Filter the content of the file before uploading it to the server.
 Don’t give the executable permission to upload the file.
 Always store the uploaded file in the non-public directory.

You might also like