LFI

Jan 1, 0001

Definition

Local File Inclusion (LFI) is a web application vulnerability that occurs when an application includes files on a server without proper validation. This can allow an attacker to manipulate the input to access unauthorized files, potentially exposing sensitive information, executing arbitrary code, or escalating privileges. LFI vulnerabilities are often exploited through user input fields that are not properly sanitized, allowing attackers to traverse directories and access files outside the intended scope.

Secure Settings Example

<?php
// Securely include files by using a whitelist approach
$allowed_files = ['home.php', 'about.php', 'contact.php'];
$file = $_GET['page'];

if (in_array($file, $allowed_files)) {
    include($file);
} else {
    // Handle error or redirect to a safe page
    include('error.php');
}
?>

Insecure Settings Example

<?php
// Insecure file inclusion without validation
$page = $_GET['page'];
include($page); // Allows LFI if user input is not sanitized
?>

LFI

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter