What is Local File Inclusion (LFI)? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Local File Inclusion (LFI)[Back to Glossary](/glossary)Local File Inclusion (LFI)
==========================

A vulnerability that allows attackers to include files from the server's local filesystem, potentially exposing sensitive data or achieving code execution.

vulnerabilityfile inclusionPHP security

Local File Inclusion (LFI) is a vulnerability where an application includes a local file based on user-controllable input. This is similar to directory traversal but specifically involves the application's file inclusion mechanism, which may also run the included file's code.

LFI commonly appears in PHP applications where template or page parameters are used in include statements, but it can also affect other languages with similar file inclusion patterns. Exploitation techniques include reading sensitive files like /etc/passwd or application configuration, accessing log files that contain attacker-controlled input (log poisoning), and combining LFI with file upload to achieve code execution.

Advanced LFI techniques include PHP filter chains for reading source code (php://filter/convert.base64-encode), using /proc/self/environ for code execution, and wrapper-based attacks using data:// or expect:// protocols.

How APVISO tests for this: APVISO's pentester agent tests file inclusion parameters with traversal sequences, PHP wrappers, and null byte techniques. It detects successful inclusion by monitoring for known file signatures in responses and tests for code execution via log poisoning and filter chains.

Related Terms
-------------

[Directory Traversal](/glossary/directory-traversal)[Remote File Inclusion (RFI)](/glossary/rfi)[Remote Code Execution (RCE)](/glossary/rce)

Test your applications for local file inclusion (lfi) vulnerabilities
---------------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
