In this blog, we will be testing Local File Inclusion (LFI) vulnerability on vulnerable application with OWASP CRS & CWAF Ruleset 1.127 (latest version).
Test Scenario
1. Testing LFI attack with OWASP CRS
Include the OWASP CRS on apache config:
Filename: REQUEST-930-APPLICATION-ATTACK-LFI
PARANOIA_LEVEL:1
Rule ID: 930100,930110,930120,930130
Test these following payloads on the xvwa vulnerable application for Local File Inclusion (LFI) attack.
/var/mail/www-data
/etc/network/* i.e /etc/network/interfaces
/etc/init/* i.e /etc/init/anacron.conf
As a result, OWASP CRS failed to block the user from accessing the above sensitive path or file, but it block almost ever major LFI attacks.Check the demo video to have clear understading.
2. Testing LFI attack on CWAF Ruleset:
Include the CWAF ruleset on apache config:
Test these following payloads on the xvwa vulnerable application for Local File Inclusion (LFI) attack.
/var/mail/www-data
/usr/share/apache2/* i.e /usr/share/apache2/build/config.nice
/usr/share/php5/mysql/mysql.ini
As a resut, CWAF failed to block the user from accessing the above sensitive path or file, but it block all other LFI attack on application and it show FP on LFI payloads. Check the demo video to have clear understading.