Local File Inclusion (LFI/RFI)
detect, understand, remediate
File inclusion vulnerabilities let attackers read arbitrary server files (LFI) or load external malicious scripts (RFI) by manipulating file path parameters, potentially leading to credential theft or remote code execution.
No credit card required. Free plan available forever.
What is local file inclusion?
Local file inclusion (LFI) is a critical web application vulnerability that allows an attacker to read, and in some cases execute, arbitrary files on the server by manipulating file path parameters. When an application dynamically includes files based on user-supplied input without adequate validation, attackers can use path traversal sequences (such as ../) to escape the intended directory and access sensitive files like /etc/passwd, configuration files containing database credentials, or application source code. LFI is classified under CWE-98 and is closely related to Remote File Inclusion (RFI), where attackers can include files from external servers.
The impact of LFI vulnerabilities extends well beyond simple information disclosure. In PHP environments, LFI can be escalated to remote code execution through techniques like log poisoning (injecting PHP code into log files, then including them), PHP filter wrapper abuse, or session file inclusion. In other languages and frameworks, LFI can expose environment variables, API keys, database connection strings, and internal network configurations that enable further attacks.
Despite being a well-known vulnerability class, LFI continues to appear in modern applications. Template engines that load partials dynamically, file download endpoints that accept path parameters, and API endpoints that serve static assets based on user input are all common sources. The risk is amplified in containerized environments where sensitive files like /proc/self/environ or Docker secrets may be accessible through LFI. Effective detection requires both static analysis of file handling code and runtime testing with traversal payloads.
How it works
Identify file path parameter
The attacker discovers a URL parameter, form field, or API argument that controls which file the server includes or reads, such as ?page=about or ?template=header.
Inject path traversal sequences
The attacker replaces the expected value with directory traversal sequences like ../../etc/passwd or uses encoding tricks (double URL encoding, null bytes) to bypass basic filters.
Include local server files
The server processes the manipulated path and includes or reads the targeted file, returning its contents in the response or using it in server-side template rendering.
Read sensitive data or achieve RCE
The attacker extracts configuration files, credentials, source code, or environment variables. In advanced scenarios, they inject code into log files and include them to achieve code execution.
Common causes
Dynamic file includes with user input
Using user-supplied values directly in functions like include(), require(), file_get_contents(), or readFile() without validating the resulting path against a restricted directory.
Missing path validation
Failing to canonicalize file paths and verify they remain within the intended base directory, allowing directory traversal sequences to escape the document root.
PHP include/require with variables
PHP applications that use variables in include() or require() statements are especially vulnerable because PHP will execute any included file as code, turning LFI into RCE.
Template file loading without restrictions
Template engines that load partial templates, layouts, or view files based on user-controlled parameters without restricting the allowed file paths to a specific template directory.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests file path parameters with traversal payloads targeting common sensitive files (/etc/passwd, /etc/shadow, win.ini) and detects successful inclusion
- Code scanning identifies dangerous patterns where user input flows into file inclusion functions, read operations, or template loading calls without path validation
- Null byte injection testing (%00) and encoding variation analysis detect applications that use basic string filtering but fail against advanced bypass techniques
Manual testing
- Submit path traversal payloads (../../etc/passwd, ..\\..\\windows\\win.ini) in file parameters and check if server-side file contents appear in the response
- Test PHP-specific wrappers (php://filter/convert.base64-encode/resource=) to read source code of application files through the inclusion mechanism
- Attempt log poisoning by injecting PHP code into access logs via User-Agent, then including the log file through the LFI to achieve code execution
How to fix it
Whitelist allowed file paths
Maintain a strict allow-list of permitted file names or paths. Map user input to predefined entries rather than using the input directly in file system operations. For example, use an index lookup (?page=1 maps to about.html) instead of accepting arbitrary file names.
Avoid dynamic file includes
Eliminate dynamic file inclusion wherever possible. Use static routing, compiled templates, or server-side rendering patterns that do not depend on user-controlled file paths.
Chroot or sandbox file operations
Restrict the application's file system access to a specific directory using chroot, containerisation, or file system permissions. Ensure the application process cannot access files outside its designated directory even if traversal sequences bypass input validation.
Disable remote file inclusion
In PHP environments, set allow_url_include=Off and allow_url_fopen=Off in php.ini to prevent remote file inclusion attacks. This eliminates the most dangerous escalation path from LFI to RCE via external file loading.
Canonicalize and validate paths
Resolve all file paths to their canonical form using realpath() or equivalent functions, then verify the resolved path starts with the expected base directory. Reject any path that resolves outside the allowed directory tree.
Compliance impact
Related vulnerabilities
Detect file inclusion vulnerabilities
SecPortal tests for LFI, RFI, null byte injection, and path traversal across all file-handling endpoints. Start free.
No credit card required. Free plan available forever.