Security Test: File inclusion¶

Description¶

Default Severity:

File inclusion happens when a server lets an attacker force the application to read or include files it wasn't supposed to. When input is used directly to form a file path without proper checks, an attacker can use tricks like adding extra path parts to access sensitive files on the server. This is dangerous because it can expose confidential data, internal configurations, or even let the attacker run malicious code if they can manipulate how files are processed. Developers often fall into this trap by assuming that users will only provide safe input, so it’s important to validate and sanitize user input when it’s used to construct file paths.

Reference:

https://escape.tech/blog/file-inclusion-directory-traversal-graphql/

Configuration¶

Identifier: injection/file_inclusion

Examples¶

All configuration available:

checks:
  injection/file_inclusion:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options¶

Options can be set in the options key of the Security Test Configuration.

Property	Type	Default	Description
`skip_objects`	`List[string]`		List of object that are to be skipped by the security test.

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-123`
FedRAMP	`SI-10`
CWE	`22`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`7.2`