Remote File Inclusion

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C4 CAPEC-193 CWE-98 HIPAA-164.306(a) ISO27001-A.14.2.5 WASC-05 WSTG-INPV-11

Remote File inclusion (RFI) is an inclusion attack. Here an attacker can cause the web application to include a remote file by exploiting a web application. This vulnerability affects the web application that uses external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

A server is said to be prone to a remote file inclusion vulnerability because it failed to properly verify user-supplied input. An attacker can include arbitrary remote files containing malicious PHP code and execute it in the context of the web server process. Resulting in the attacker to compromise the application and to gain access to the underlying system.


The impact include:-

  • Cross Site Scripting
  • Remote Code Execution

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Avoiding passing of user-submitted input to any file-system or framework API.
  • Maintaining a white list of files that need to be included by the page, and then use an identifier to access to the selected file.

Latest Articles