A sound framework for dynamic prevention of Local File Inclusion

Abstract

Web applications take an important role in remote access over the Internet. These applications have many capabilities such as database access, file read/write, calculations as well as desktop applications but run in web browsers environments. As desktop applications, web applications can be exploited but with different techniques. One of the major known vulnerabilities of the web applications is Local File Inclusion. Inclusion in web applications is similar to library imports in desktop applications where a developer can include former developed codes. If an attacker includes his/her libraries, he/she can run his/her malicious code. Current research makes a brief survey of static and dynamic code analysis and suggests a framework for dynamically preventing malicious file inclusions by attackers. It is discussed that this framework prevents local file inclusions even if the developer has exploitable source code. The language PHP is used for describing the vulnerability and prevention framework.