6.3.1 Local File Inclusion (LFI)

https://www.indusface.com/learning/file-inclusion-attacks-lfi-rfi/

Local File Inclusion (LFI)

In an LFI attack, an attacker exploits a vulnerability in a web application to include local files stored on the server.

Typically, the attacker manipulates user-controllable input (e.g., URL parameters or cookies) to specify the file path to include.

Scenario Example

Let’s say there’s a web application with a page where users can view their user profile by providing a parameter like profile=profile.html. The server-side code may look like this in a vulnerable state :

<?php
$user_profile = $_GET[‘profile’];
include($user_profile . ‘.html’);
?>

In this example, the include function is used to include the file specified in the profile parameter. However, there’s no proper validation or filtering of user input. An attacker can take advantage of this vulnerability by manipulating the profile parameter.

For instance, an attacker might use a crafted URL like this:

http://example.com/view-profile.php?profile=../../../../etc/passwd

In this case, the attacker is trying to traverse directories (represented by the ../ sequences) and access a sensitive file (/etc/passwd) on the server.

Previous6.3 File Inclusion (LFI and RFI)Next6.3.2 Remote File Inclusion (RFI)