Prevention & Hardening

Overview

Comprehensive security measures to prevent file inclusion vulnerabilities and harden systems against LFI/RFI attacks.

Secure Coding Practices

Input Validation and Sanitization

Whitelist Approach:

<?php
// Secure file inclusion with whitelist
$allowed_files = ['home', 'about', 'contact', 'products'];
$page = $_GET['page'] ?? 'home';

if (in_array($page, $allowed_files)) {
    include($page . '.php');
} else {
    include('error.php');
}
?>

Using basename() Function:

<?php
// Strip directory traversal attempts
$file = basename($_GET['file']);
$file = './templates/' . $file . '.php';

if (file_exists($file)) {
    include($file);
}
?>

Web Server Configuration Hardening

PHP Configuration (php.ini)

Essential Security Settings:

# Disable dangerous functions
allow_url_fopen = Off
allow_url_include = Off

# Restrict file access
open_basedir = /var/www/html

# Disable dangerous functions
disable_functions = system,exec,shell_exec,passthru,popen,proc_open

# Hide PHP version
expose_php = Off

# Limit file uploads
file_uploads = Off
upload_max_filesize = 1M

HTB Academy Prevention Lab:

# Find php.ini location
sudo find / -name php.ini 2>/dev/null
# Result: /etc/php/7.4/apache2/php.ini

# Edit disable_functions (line 312)
sudo nano /etc/php/7.4/apache2/php.ini
disable_functions = system,exec,shell_exec,passthru

# Restart Apache
sudo service apache2 restart

# Test result shows: "system() has been disabled for security reasons"

Apache/Nginx Hardening

Apache Security Configuration

Security Headers:

# Hide server information
ServerTokens Prod
ServerSignature Off

# Directory listing protection
Options -Indexes

# File access restrictions
<FilesMatch "\.(php|phtml|php3|php4|php5|php7)$">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</FilesMatch>

Web Application Firewall (WAF) Protection

ModSecurity Rules

LFI Detection Rules:

# Block common LFI patterns
SecRule ARGS "@detectXSS" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'LFI Attack Detected',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}'"

# Block directory traversal
SecRule ARGS "@contains ../" \
    "id:1002,\
    phase:2,\
    block,\
    msg:'Directory Traversal Detected'"

# Block PHP wrappers
SecRule ARGS "@rx (?:php|data|expect|input)://" \
    "id:1003,\
    phase:2,\
    block,\
    msg:'PHP Wrapper Detected'"

Container Security & Isolation

Docker Implementation

Secure Dockerfile Example:

FROM php:7.4-apache

# Create non-root user
RUN useradd -m -s /bin/bash webuser

# Set secure php.ini
COPY secure-php.ini /usr/local/etc/php/php.ini

# Copy application with restricted permissions
COPY --chown=webuser:webuser ./app /var/www/html

# Run as non-root
USER webuser

EXPOSE 80

Monitoring and Logging

Log Analysis for LFI Detection

Detection Patterns:

# Monitor for LFI attempts
tail -f /var/log/apache2/access.log | grep -E "\.\./|php://|data://|expect://"

# Automated detection script
grep -E "(\.\.\/|php:\/\/|data:\/\/)" /var/log/apache2/access.log | \
awk '{print $1, $7}' | sort | uniq -c | sort -nr

Continuous Security Testing

Automated Vulnerability Scanning

Regular Security Assessments:

# Automated LFI scanning
nikto -h http://localhost -Tuning 5

# Custom security testing script
./test_lfi_protection.sh http://localhost

[Content continues with SIEM integration and incident response...]

This guide covers prevention and hardening techniques from HTB Academy's File Inclusion module.

PreviousAutomated Scanning & Tools NextSkills Assessment Walkthrough

Last updated 2 months ago