Local File Inclusion

Local File Inclusion (LFI) is a vulnerability that allows an adversary to include and execute files from the local file system. This typically occurs when an application dynamically loads files based on user input without proper validation or sanitisation. LFI can be exploited to access sensitive files (e.g., configuration files, source code) or execute arbitrary code if the adversary can upload malicious scripts.

Remediation

Restrict file path inputs and disallow user-controlled input for file inclusion.
Limit file inclusion to a predefined set of files to prevent arbitrary file access.
Prevent the use of `../` sequences to block access to unintended directories.
Restrict file permissions so that only necessary files are readable by the application.

Metadata

Severity: high
Slug: local-file-inclusion

CWEs

22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
23: Relative Path Traversal
73: External Control of File Name or Path

OWASP

A03:2021: Injection

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

easy

Electron LFI.js

JavaScript Easy Electron Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.