Detection: Header-Based Local File Inclusion
Overview
Detect when a web server received requests with Local File Inclusion (LFI) attack patterns in the User-Agent or other headers. This specialized detection focuses on identifying path traversal and file inclusion attempts that specifically target HTTP headers rather than typical URL parameters or path components.
Header-based LFI attacks represent an advanced evasion technique where attackers place path traversal sequences and OS file paths in HTTP headers to bypass Web Application Firewalls (WAFs) and other security controls that focus on examining request URLs. Standard security controls often focus on URL parameters and paths while neglecting HTTP headers - many WAF configurations may not thoroughly inspect HTTP headers for attack patterns, header-based attacks can bypass security monitoring focused on request URLs, and headers are sometimes logged separately and may receive less security scrutiny.
This detection identifies multiple LFI techniques in HTTP headers, including basic path traversal with directory navigation sequences like ../ and ..\, encoded path traversal with URL-encoded variants like ..%2f and %2e%2e%2f, and OS file access attempts to access sensitive system files like /etc/passwd, /etc/shadow, and Windows configuration files. Web applications that process User-Agent headers without proper sanitization, logging infrastructure that stores header values in files whose paths are influenced by those values, and server-side includes or templates that might process and render header values are particularly at risk from these attack vectors.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.header_based_local_file_inclusionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.header_based_local_file_inclusion --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp, request_method as operation, request_uri as resource, status, http_user_agent as actor, tp_source_ip as source_ip, tp_id as source_id, -- Create new aliases to preserve original row data status as status_src, timestamp as timestamp_src, * exclude (status, timestamp)from apache_access_logwhere http_user_agent is not null and ( -- Path traversal in User-Agent http_user_agent ilike '%../%' or http_user_agent ilike '%/../%' or http_user_agent ilike '%\\..\\%' or http_user_agent ilike '%\\.\\%' -- Encoded path traversal in User-Agent or http_user_agent ilike '%..%2f%' or http_user_agent ilike '%..%2F%' or http_user_agent ilike '%%2e%2e%2f%' or http_user_agent ilike '%%2E%2E%2F%' or http_user_agent ilike '%..%5c%' or http_user_agent ilike '%..%5C%' -- OS file access in User-Agent or http_user_agent ilike '%/etc/passwd%' or http_user_agent ilike '%/etc/shadow%' or http_user_agent ilike '%/etc/hosts%' or http_user_agent ilike '%/proc/self/%' or http_user_agent ilike '%win.ini%' or http_user_agent ilike '%system32%' or http_user_agent ilike '%boot.ini%' )order by tp_timestamp desc;