Local File Inclusion (LFI)
What is Local File Inclusion (LFI)?
Local File Inclusion (LFI)A vulnerability that lets an attacker make a server include and execute or display local files chosen via unsanitized input.
Local File Inclusion (LFI) arises when a web application includes a file path supplied by the user without validation, typically in scripting languages such as PHP, JSP, or classic ASP. The attacker can read source code, configuration files, or logs, and may escalate to remote code execution by including files that contain attacker-controlled content (for example log poisoning, /proc entries, session files, or uploaded images with embedded code). LFI overlaps with directory traversal but specifically targets the include or require functions of a runtime. Defences are allow-listing template names, using safe routing instead of dynamic includes, validating paths after canonicalization, and disabling include of remote URLs.
● Examples
- 01
An endpoint with page=../../../var/log/apache2/access.log that executes attacker-controlled User-Agent strings as PHP.
- 02
An admin panel using ?lang=es that becomes vulnerable when ?lang=../../etc/passwd discloses system users.
● Frequently asked questions
What is Local File Inclusion (LFI)?
A vulnerability that lets an attacker make a server include and execute or display local files chosen via unsanitized input. It belongs to the Attacks & Threats category of cybersecurity.
What does Local File Inclusion (LFI) mean?
A vulnerability that lets an attacker make a server include and execute or display local files chosen via unsanitized input.
How do you defend against Local File Inclusion (LFI)?
Defences for Local File Inclusion (LFI) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Local File Inclusion (LFI)?
Common alternative names include: LFI.