Local File Include with Redirects

Local File Include with Redirects

Local File Inclusion via Remote Redirect

When you Pentest a Web-App it is not unlikely that you find something like this:

Sometimes the Developer thought only of injects inside the Input-Value. When only the Input Value is sanitized you might be lucky with a remote-to-local redirect. That means a URI like “https://example.com/xyz” will redirect to “file:///…”.

To make it easier for you to check this, we have deployed some Test-URI in the  lab. – Domain. You can check the following redirects:

… file:///etc/passwd

… javascript://alert(1)

… file://C:\

… file:///dev/random

… file:///usr/share/icons/locolor/32×32/apps/gvim.png

sebastian.bicchi

Comments are closed.