Remote File Inclusion (RFI)
A vulnerability that allows attackers to include and run files from remote servers, typically leading to immediate code execution.
Remote File Inclusion (RFI) is a vulnerability where an application includes a file from a remote URL based on user input. Unlike Local File Inclusion (LFI), RFI allows the attacker to host malicious code on their own server and have the target application fetch and run it. This makes RFI extremely dangerous — it typically leads directly to remote code execution.
RFI is most common in PHP applications where allow_url_include is enabled (disabled by default in modern PHP). However, similar patterns can exist in other languages when applications fetch and process remote content based on user input.
The attack flow is straightforward: the attacker hosts a malicious script on their server, crafts a URL that causes the target to include that script, and the target server downloads and runs it with the web application's privileges.
How APVISO tests for this: APVISO's scanner agent tests file parameters with remote URLs pointing to controlled callback servers. It differentiates between RFI (code execution), SSRF (server-side request without execution), and simple URL validation failures.
Related Terms
Test your applications for remote file inclusion (rfi) vulnerabilities
APVISO's AI agents automatically test for this and many more vulnerability categories.
Start Testing Free