New research rings the alarm bell on the risks of Remote File Inclusions, which could be a more pervasive threat to Web server security than even SQL injection. A common capability on many Web server and content management platforms is the ability to perform Remote File Inclusions (RFIs), which allow users to simply upload an image or a file. Yet RFIs might well be the most pervasive threat on the Web today, according to new research published by cloud security firm Incapsula.
Incapsula examined some 500 million Web sessions to its service over a six-month period and found that 25 percent of them were at risk from an RFI-based attack vector, Marc Gaffan, co-founder of Incapsula, told eWEEK. In contrast, over that same period, only 23 percent of sessions were found to be at risk from SQL injection attacks. In the RFI attack vector, that seemingly innocuous file or image upload in fact includes some form of malicious payload that can potentially enable an attacker to harm a server.