Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts. The consequences of a successful LFI attack include Directory Traversal and Information Disclosure as well as Remote Code Execution.

Typically, Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the included statement.Local File Inclusion is very much like Remote File Inclusion (RFI), with the difference that with Local File Inclusion, an attacker can only include local files (not remote files like in the case of RFI).

You can do ?page=home.html

Directory Traversal

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.


You can do ?page=../../../etc/passwd or something like that

Log Poinsoning

In order for that to happen, the directory should have read and execute permissions.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs. This is called log injection.

Log injection vulnerabilities occur when:

  1. Data enters an application from an untrusted source.
  2. The data is written to an application or system log file.

Successful log injection attacks can cause:

  1. Injection of new/bogus log events (log forging via log injection)
  2. Injection of XSS attacks, hoping that the malicious log event isviewed in a vulnerable web application