Empty input
Last updated 2017-08-10

Local File Inclusion (LFI)

Learn more about Local File Inclusion (LFI) vulnerability

Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application in including files on the web server by exploiting functionality that dynamically includes local files or scripts.

The consequence of a successful LFI attack includes Directory Traversal and Information Disclosure as well as Remote Code Execution.

Typically, Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the include statement.

Local File Inclusion is very much like Remote File Inclusion (RFI), with the difference that with Local File Inclusion, an attacker can only include local files (not remote files like in the case of RFI).

Learn more on https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/