Remote URL Inclusion

Impact: High


Remote URL Inclusion (RUI) is a vulnerability that allows an attacker to include a remote URL, exploiting dynamic URL inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

In a Remote URL Inclusion issue, the server fetches the remote URL and includes the content of the remote file in the response. The application might execute the content of the file if it contains codes. This allows attackers to run arbitrary codes on the server. Furthermore, this causes a Server-side request forgery issue.


To mitigate RUI vulnerabilities, avoid passing user-submitted input to URL inclusion mechanisms. If unavoidable, maintain an allow list of trusted URLs that may be included, using an identifier to access selected resources. Reject any request with an invalid identifier to eliminate attack surface.


Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing