Application Security · Learn

What is Local File Inclusion?

Local File Inclusion lets an attacker make a web application include a file they choose, exposing source code and secrets and, in the worst case, running their code. Here is what LFI is, how it escalates to remote code execution, and how to fix it.

Application Security · LearnApplication Penetration Testing
TL;DR

Local File Inclusion (LFI) is a web vulnerability where an application includes a file whose path the user controls, so an attacker reads files they should not, source code, configuration, /etc/passwd, and sometimes runs their own code. It happens when user input reaches a file-include call (such as PHP include) without validation. LFI often escalates to remote code execution through log poisoning, PHP wrappers, or session files, which is why it ranks among the most serious input-handling flaws.

By Shubham Khandare, Delivery Manager, SecureLayer7Updated

What Local File Inclusion is

Many applications build a file path from user input, for example ?page=about mapping to include("pages/about.php"). LFI occurs when that input is not validated, so an attacker substitutes a path of their choosing.

With a traversal sequence they climb out of the intended directory: ?page=../../../../etc/passwd reads an arbitrary file. Because the file is included, not just read, in languages like PHP the contents can be executed, which is what turns file disclosure into code execution.

How it works and example

The attacker manipulates the file parameter to read or run files:

  • Read a sensitive file: ?page=../../../../etc/passwd
  • Read source via a PHP filter wrapper: ?page=php://filter/convert.base64-encode/resource=config.php
  • Escalate to code execution by log poisoning: inject PHP into a User-Agent header that gets logged, then include the log file (/var/log/apache2/access.log).
  • Include an uploaded file or a session file containing attacker input.

Remote File Inclusion (RFI), the related flaw, includes a file from a remote URL when the configuration allows it, giving direct code execution. Examples shown for defensive context.

How to fix it

  • Never build include paths from user input. Map user choices to a fixed allow-list of files server-side, never to a raw path.
  • Disable remote includes (allow_url_include=Off in PHP) to kill RFI.
  • Validate and canonicalise any unavoidable path input and reject traversal sequences after normalisation.
  • Run with least privilege so an included file cannot reach sensitive locations.
  • Confirm with a penetration test that no parameter reaches a file-include sink.

References

  1. [1]OWASP Web Security Testing Guide(OWASP)
  2. [2]MITRE CWE-98: Improper Control of Filename for Include/Require(MITRE CWE)
  3. [3]OWASP Top 10(OWASP)
Related terms

Common questions

Local File Inclusion, asked often

Want your application tested for this?

Scope an engagement

Test your application for LFI and 30+ other classes.

Our application penetration test is manual, evidence-led, and built so your developers can reproduce and fix every finding. Each engagement ships with proof-of-exploit and a free re-test.

See the methodology30-min scoping call, fixed-price proposal in 48 hours.