Local File Inclusion (LFI) Local File Inclusion (LFI) explained with examples, and learn how to perform security testing for LFI vulnerabilities. Introduction The intent of this document is to assist with web app security assessments engagements by consolidating research for LFI testing techniques. LFI vulnerabilities are typically discovered during application assessments or penetration testing using the techniques contained within this document. What is a Local File Inclusion (LFI) vulnerability? Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server. The following is an example of PHP code vulnerable to local file inclusion.
