Local file inclusion
(also LFI, file inclusion, local file inclusion attack)
Local file inclusion definition
Local file inclusion is a vulnerability that allows hackers to include and execute local files in web applications through user-supplied input. Local file inclusion can let attackers access a system, see confidential information, or even execute malicious code.
The Open Source Foundation for Application Security (OWASP) considers local file inclusion a severe threat and frequently features it in its Top 10 web application vulnerabilities list.
See also: cyberattack, XSS, input validation attack, least privilege access
How local file inclusion works
Local file inclusion occurs when an application does not properly validate or sanitize user-supplied input that specifies a file to include. The attacker provides malicious input, typically in the form of a file path or directory traversal sequence, to trick the application into including sensitive files or executing malicious code.
Local file inclusion techniques
- Relative path traversal: The attacker includes “../” sequences in the input to traverse directories and access files outside the web application’s intended scope.
- Null byte injection: By appending a null byte (“%00”) to the input, the attacker can bypass security measures to include files with restricted extensions or characters.
- Encoding: The attacker may use URL or other forms of encoding to evade input validation mechanisms.
Stopping local file inclusion attacks
- Validate and sanitize user-supplied input to prevent attackers from traversing directories and accessing files outside of authorized locations.
- Maintain an allowlist of authorized file paths, rejecting any requests to access other paths.
- Use framework functions for file inclusion in web application frameworks rather than manually constructing the file paths.
- Implement the principle of least privilege for web applications to limit the potential impact of a local file inclusion attack.