In a file inclusion attack, you add a file to the running process of a web app. The file is either constructed to be malicious or manipulated to serve your malicious purposes. In either case, a file inclusion attack can lead to a number of security incidents, including: malicious code executing on the web server, malicious code executing on the client that accesses the server, sensitive data leaking, or a denial of service. There are two basic types of file inclusion: remote and local.

In remote file inclusion (RFI), you inject an external file into a web app that doesn't apply proper input validation. You could, for instance, force a parameter in a web page to call an external link that includes the malicious file. As an example, consider a PHP page that includes a font parameter that has five different options, each one a different font type. You can manipulate this parameter to inject an option that isn't one of these fiveā€”in particular, you can point to an external URL that contains a malicious PHP file:


In local file inclusion (LFI), you add a file that already exists on the hosting server to the web app. This is achievable on servers that are vulnerable to directory traversal; you are essentially navigating through the server's file structure and executing a file. LFI can also leverage the poison null byte to bypass security mechanisms that restrict the request to .php files. This enables you to execute any file on the server, like opening a command prompt in Windows: