01Summary

Resource Injection occurs when an application allows user-controlled input to directly specify or influence the names, paths, or identifiers of system resources—such as files, database connections, or network endpoints. An attacker can exploit this to access files they shouldn't see, overwrite critical data, or redirect the application to malicious resources. This weakness is particularly dangerous because it bypasses the application's intended resource access controls.

02How It Happens

The vulnerability arises when an application constructs resource identifiers (file paths, URLs, connection strings, etc.) by concatenating or interpolating user input without validation or restriction. The developer assumes the input will be benign—a filename, a hostname, or a port number—but does not enforce that assumption. An attacker can then supply unexpected values: path traversal sequences (../), absolute paths, or specially crafted identifiers that cause the application to access unintended resources. The application has no allowlist of permitted resources and no mechanism to verify that the requested resource is one the user is authorized to access.

03Real-World Impact

Resource Injection can lead to unauthorized file access (reading configuration files, source code, or private data), arbitrary file writes (overwriting application files or injecting malicious code), or redirection of network traffic to attacker-controlled servers. In web applications, it commonly manifests as path traversal attacks that expose sensitive files. In backend systems, it can allow an attacker to manipulate database connection strings, log file paths, or cache identifiers, leading to data theft, denial of service, or privilege escalation.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import os

def read_user_file(filename):
    # filename comes directly from user input (e.g., request parameter)
    filepath = os.path.join("/var/data", filename)
    with open(filepath, "r") as f:
        return f.read()

# Attacker supplies: "../../../etc/passwd"
# Application reads: /etc/passwd

Why it's vulnerable:
The application concatenates user input directly into a file path without validating or restricting it. An attacker can use path traversal sequences to escape the intended directory and access arbitrary files on the system.

Fixed pattern
import os

ALLOWED_FILES = {"report.txt", "summary.txt", "data.csv"}

def read_user_file(filename):
    # Validate against an allowlist of permitted filenames
    if filename not in ALLOWED_FILES:
        raise ValueError("File not permitted")
    
    filepath = os.path.join("/var/data", filename)
    with open(filepath, "r") as f:
        return f.read()
Vulnerable pattern
<?php
// $filename comes from $_GET or $_POST
$filename = $_GET['file'];
$filepath = "/var/www/uploads/" . $filename;

// Read and output the file
echo file_get_contents($filepath);

// Attacker supplies: "../../wp-config.php"
// Application reads: /var/www/wp-config.php
?>

Why it's vulnerable:
User input is directly concatenated into a file path. An attacker can inject path traversal sequences to read files outside the intended upload directory, including configuration files containing database credentials.

Fixed pattern
<?php
$allowed_files = array("report.pdf", "invoice.pdf", "receipt.pdf");
$filename = $_GET['file'];

// Validate against an allowlist
if (!in_array($filename, $allowed_files, true)) {
    die("File not permitted");
}

$filepath = "/var/www/uploads/" . $filename;
echo file_get_contents($filepath);
?>

05Prevention Checklist

Use an allowlist:
Maintain a strict list of permitted resource identifiers (filenames, hostnames, connection strings) and reject any input not on that list.
Avoid string concatenation for resource paths:
Use framework-provided APIs (e.g., os.path.join() in Python, realpath() in PHP) and validate the final resolved path.
Canonicalize paths:
Resolve symbolic links and relative path components, then verify the result is within the intended directory.
Separate user input from resource selection:
Use numeric IDs or tokens to reference resources, and map them server-side to actual resource identifiers.
Apply principle of least privilege:
Run the application with minimal file system and network permissions; restrict which resources it can access by default.
Log and monitor resource access:
Track unusual or repeated attempts to access unexpected resources, which may indicate an active attack.

06Signs You May Already Be Affected

Check application logs for repeated attempts to access files with path traversal sequences (../, ..\\) or absolute paths in user-supplied parameters. Review file system access logs for unexpected reads of sensitive files (configuration files, private keys, system files) from the application's process. If you find unfamiliar files in upload directories or unexpected modifications to application files, investigate whether resource injection was used to write malicious content.

07Related Recent Vulnerabilities