Local file inclusion
(also LFI, file inclusion, local file inclusion attack)
Local file inclusion definition
Local file inclusion is a vulnerability that allows hackers to include and execute local files in web applications through user-supplied input. Local file inclusion can let attackers access a system, see confidential information, or even execute malicious code.
The Open Source Foundation for Application Security (OWASP) considers local file inclusion a severe threat and frequently features it in its Top 10 web application vulnerabilities list.
How local file inclusion works
Local file inclusion occurs when an application does not properly validate or sanitize user-supplied input that specifies a file to include. The attacker provides malicious input, typically in the form of a file path or directory traversal sequence, to trick the application into including sensitive files or executing malicious code.
Local file inclusion techniques
- Relative path traversal: The attacker includes “../” sequences in the input to traverse directories and access files outside the web application’s intended scope.
- Null byte injection: By appending a null byte (“%00”) to the input, the attacker can bypass security measures to include files with restricted extensions or characters.
- Encoding: The attacker may use URL or other forms of encoding to evade input validation mechanisms.
Stopping local file inclusion attacks
- Validate and sanitize user-supplied input to prevent attackers from traversing directories and accessing files outside of authorized locations.
- Maintain an allowlist of authorized file paths, rejecting any requests to access other paths.
- Use framework functions for file inclusion in web application frameworks rather than manually constructing the file paths.
- Implement the principle of least privilege for web applications to limit the potential impact of a local file inclusion attack.