On Linux servers hosting applications within Amazon Web Services (AWS), the AWS Command Line Interface (CLI) and various Software Development Kits (SDKs) store authentication tokens in a hidden directory ( .aws ) inside the user's home directory. If the web server or container is mistakenly running under the root user, the path is /root/.aws/credentials . A typical AWS credentials file looks like this:
PHP allows you to restrict which stream wrappers can be used. In your php.ini file, set:
The payload php://filter/read=convert.base64-encode/resource=/root/.aws/credentials is a Local File Inclusion (LFI) attack designed to steal AWS credentials by reading them in Base64 format. Attackers exploit improper input sanitization in PHP applications to access sensitive configuration files from the server's root directory. To prevent this, inputs must be sanitized, file paths validated, and the principle of least privilege applied to prevent web servers from accessing sensitive directories. On Linux servers hosting applications within Amazon Web
SecRule ARGS "php://filter|convert\.base64|resource=" "id:123456,deny,status:403,msg:'LFI PHP Filter Attempt'"
: Attackers can use these keys to provision unauthorized resources, steal databases, or deploy ransomware across the cloud network. In your php
For the php://filter trick to work, the developer must have used a mechanism without proper sanitization. Here are typical examples:
This URL appears to be requesting a view ( view.php ) with a specific filter to read and convert the contents of a file located at /root/.aws/credentials into a base64 encoded format. SecRule ARGS "php://filter|convert\
| Component | Meaning | |-----------|---------| | php://filter | A PHP built‑in stream wrapper that applies filters to a stream. | | read=convert.base64-encode | A filter that encodes the data read from the resource in base64. | | resource=/root/.aws/credentials | The target file – the AWS credentials file belonging to the root user. |