Skip to main content

Home Local file inclusion

Local file inclusion

(also LFI, file inclusion, local file inclusion attack)

Local file inclusion definition

Local file inclusion is a vulnerability that allows hackers to include and execute local files in web applications through user-supplied input. Local file inclusion can let attackers access a system, see confidential information, or even execute malicious code.

The Open Source Foundation for Application Security (OWASP) considers local file inclusion a severe threat and frequently features it in its Top 10 web application vulnerabilities list.

See also: cyberattack, XSS, input validation attack, least privilege access

How local file inclusion works

Local file inclusion occurs when an application does not properly validate or sanitize user-supplied input that specifies a file to include. The attacker provides malicious input, typically in the form of a file path or directory traversal sequence, to trick the application into including sensitive files or executing malicious code.

Local file inclusion techniques

  • Relative path traversal: The attacker includes “../” sequences in the input to traverse directories and access files outside the web application's intended scope.
  • Null byte injection: By appending a null byte (“%00”) to the input, the attacker can bypass security measures to include files with restricted extensions or characters.
  • Encoding: The attacker may use URL or other forms of encoding to evade input validation mechanisms.

Stopping local file inclusion attacks

  • Validate and sanitize user-supplied input to prevent attackers from traversing directories and accessing files outside of authorized locations.
  • Maintain an allowlist of authorized file paths, rejecting any requests to access other paths.
  • Use framework functions for file inclusion in web application frameworks rather than manually constructing the file paths.
  • Implement the principle of least privilege for web applications to limit the potential impact of a local file inclusion attack.