local file inclusion (LFI)
What is Local File Inclusion (LFI)?
Local File Inclusion (LFI) is a web application vulnerability that allows attackers to include and access files on a server by manipulating input fields or URL parameters.
LFI occurs when an application allows users to specify file paths that are then included in the response without proper validation or sanitization. This can lead to disclosure of sensitive files, source code, or even enable remote code execution if exploited further.
How Local File Inclusion Works
- The application accepts a file path via user input or query parameters (e.g.,
example.com/page?file=about.html). - If the input is not validated, attackers can manipulate it to include unintended files (e.g.,
/etc/passwd). - The server includes the file in its response, exposing its contents to the attacker.
Why LFI Is Dangerous
- Disclosure of sensitive files such as configuration files, SSH keys, or source code
- Potential remote code execution if combined with file uploads or existing server scripts
- Information leakage that can aid further attacks
How to Prevent Local File Inclusion
- Avoid including user input in file paths wherever possible
- Validate against a pre-defined whitelist of safe file names or paths
- Sanitize input after decoding to remove special characters like ../ or backslashes
- Use frameworks and libraries that manage file inclusion securely
- Run the application with minimal permissions to reduce potential damage
How Intruder Helps
Intruder scans web applications for LFI vulnerabilities and highlights unsafe file inclusion points. It provides actionable guidance to fix misconfigurations and prevent sensitive data exposure or code execution risks.
Want to protect your applications against LFI attacks? Start your free trial and secure your web apps today.
