Arbitray File Download
I just stumbled upon one great article.
A nice article about what the arbitrary file download is and how dangerous it would be if exploited. Later the difference between arbitrary file download and LFI/ RFI has been discusses, which is a often confused topic.
What is Arbitrary File Download?
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
What is LFI/ RFI:
Often confused, LFI/RFI is different from the Arbitrary File Download vulnerability. However, both are used in combination if directory traversal is turned on in the server. LFI and RFI stands for Local File Inclusion and Remote File Inclusion vulnerability. Both are of similar nature, except the mode of exploitation. Both take advantage of unfiltered input file parameters used by web applications, predominantly PHP. LFI, while exploited uses any local file which is available at the same machine where the web application is hosted, RFI, on the other hand includes any remotely hosted malicious file using URLs.
We can see the major difference here. With LFI/ RFI, the resource is loaded and executed in the context of the current application. But in case of Arbitrary File Download, we are basically abusing the download functionality of a web application, which fails to restrict the user input to a specific directory. The user input goes beyond the directory and is able to download other critical files of the system.
Later a real life scenario has been discussed about how to exploit the vulnerability with pictorial representation.
Finally the countermeasures are described.
You can find the article here: Arbitrary File Download: Breaking into the system
Also have a look at Web application Security Course offered by InfosecInstitute.