Injection: File inclusion¶

Identifier: file_inclusion

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

File inclusion happens when a server lets an attacker force the application to read or include files it wasn't supposed to. When input is used directly to form a file path without proper checks, an attacker can use tricks like adding extra path parts to access sensitive files on the server. This is dangerous because it can expose confidential data, internal configurations, or even let the attacker run malicious code if they can manipulate how files are processed. Developers often fall into this trap by assuming that users will only provide safe input, so its important to validate and sanitize user input when its used to construct file paths.

References:

https://escape.tech/blog/file-inclusion-directory-traversal-graphql/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  file_inclusion:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.