Local File Inclusion (LFI)
A vulnerability that allows attackers to include files from the server's local filesystem, potentially exposing sensitive data or achieving code execution.
Local File Inclusion (LFI) is a vulnerability where an application includes a local file based on user-controllable input. This is similar to directory traversal but specifically involves the application's file inclusion mechanism, which may also run the included file's code.
LFI commonly appears in PHP applications where template or page parameters are used in include statements, but it can also affect other languages with similar file inclusion patterns. Exploitation techniques include reading sensitive files like /etc/passwd or application configuration, accessing log files that contain attacker-controlled input (log poisoning), and combining LFI with file upload to achieve code execution.
Advanced LFI techniques include PHP filter chains for reading source code (php://filter/convert.base64-encode), using /proc/self/environ for code execution, and wrapper-based attacks using data:// or expect:// protocols.
How APVISO tests for this: APVISO's scanner agent tests file inclusion parameters with traversal sequences, PHP wrappers, and null byte techniques. It detects successful inclusion by monitoring for known file signatures in responses and tests for code execution via log poisoning and filter chains.
Test your applications for local file inclusion (lfi) vulnerabilities
APVISO's AI agents automatically test for this and many more vulnerability categories.
Start Testing Free