by peter


Local file inclusion Explained


Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5


  • Lack of Web Application firewall
  • Lack of monitoring
  • Poor coding

Local file inclusion Overview

A Local File Inclusion attack is where the attacker tricks the web application into exposing or running its files on the web server. These attacks occur when the web app treats a malicious attack as “trusted input.” An attacker may use path or directory traversal to learn about the files on the server, and then prompt the web app to run the local file. Local file inclusions can lead to information disclosure, XSS and remote code execution. LFI is listed as one of the OWASP Top 10 web application vulnerabilities.

What you need to know about local file inclusion attacks

The impact of a Local File Inclusion attack can vary based on the exploitation and the read permissions of the webserver user. Based on these factors, an attacker can gather usernames via an /etc/passwd file, harvest useful information from log files, or combine this vulnerability with other attack vectors (such as file upload vulnerability) to execute commands remotely. Some of the attack vectors for a LFI attack include:

  1. Information disclosure
  2. Directory Traversal
  3. Remote Code Execution

Identifying LFI attacks should be very simple for the SOC team. If you do not have a SOC team, then it will be down to alerts and monitoring from log files and firewalls. It is highly unlikely that you will be able to rely on a traditional firewall to provide any level of prevention of these types of attack.

Detecting where LFI attacks are possible requires quality web application penetration testing.

How a local file injection attacks happens

When an application uses a file path as an input, the app treats that input as trusted and safe. A local file can then be injected into the included statement. This happens when your code is vulnerable. In this case, a hacker makes a request that fools the app into executing a malicious PHP script (web shell for example).

In some cases, if the application provides the ability to upload files, attackers can run any server-side malicious code they want. Most applications do not provide this capability, and even if they do, the attacker cannot guarantee that the app saves the file on the server where the LFI vulnerability is located. The attacker will also need to know the file path to their uploaded file on the server file system.

Attack Sources

Attack sources can be from anywhere. It is common to see these attacks in more targeted attacks against your web applications.