Glossary

LOCAL FILE INCLUSION / LFI
defined.

A vulnerability where an application includes or reads files from the server filesystem based on user input, letting an attacker read sensitive files or in some cases achieve RCE.

A–Z

What is Local File Inclusion (LFI)?

The typical pattern: ?page=about becomes include("pages/" . $_GET['page'] . ".php") — and an attacker passes ../../../../etc/passwd%00. Chained with log poisoning or session-file techniques, LFI often escalates to RCE.

Related terms.

Remote File Inclusion (RFI)
Remote Code Execution (RCE)
Server-Side Request Forgery (SSRF)
XML External Entity (XXE)

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.

Test for this in your stack

BOOK A FREE
scoping call.

30-minute call with an OSCP-certified engineer. Tailored proposal in 24 hours.

Book Free Scoping Call →All Services

LOCAL FILE INCLUSION / LFIdefined.

What is Local File Inclusion (LFI)?

Related terms.

Where this shows up.

BOOK A FREEscoping call.

LOCAL FILE INCLUSION / LFI
defined.

BOOK A FREE
scoping call.