Local File Inclusion

By
Febna V M
Published on
24 Jun 2018
1 min read
Vulnerability

Local File inclusion (LFI) refers to an inclusion attack. An attacker can trick the online application in including files on the online server. The attacker does this by exploiting functionality that dynamically includes native files or scripts. The consequence of a successful LFI attack. It includes Directory Traversal and information revealing also as Remote Code Execution.

This server allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. This is due to the use of user-supplied input without proper validation.

Example

        /**
        * Get the filename from a GET input
        * Example - https://www.example.beaglesecurity.com/?file=filename.php
        */
        
        $file = $_GET['file'];
        
        /**
        * Unsafely include the file
        * Example - filename.php
        */
        include('directory/' . $file);

    

Impact

  • Intrution attack

    Mitigation / Precaution

  • Avoid passing user-submitted input to any file system/framework API
  • Maintain a white list of files, that include page, and use an identifier to access to the selected file.Invalid identifier has to be rejected
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment