Home Web App Security Understanding Local File Inclusion (LFI) in Web Apps

Understanding Local File Inclusion (LFI) in Web Apps

Web App Security By · March 28, 2025 · 0 Comment

Local File Inclusion (LFI) vulnerabilities are a significant security risk in web applications that fail to properly validate user-supplied input, allowing attackers to include files from the local system. These vulnerabilities can lead to severe security breaches, such as unauthorized access to sensitive files, remote code execution, and system compromise. In this article, we will discuss LFI vulnerabilities in detail and demonstrate how to test and exploit such vulnerabilities using a DVWA (Damn Vulnerable Web Application) lab hosted on Metasploitable2.

What is Local File Inclusion (LFI)?

Local File Inclusion is a type of vulnerability that allows attackers to include files from the local filesystem into a web application. It typically occurs when a web application allows a user to specify a file path that the application subsequently includes and displays. If the input is not properly sanitized, malicious users can manipulate the file path to access files outside the intended directory, often gaining access to critical system files such as /etc/passwd, which stores user information on Unix-based systems.

LFI vulnerabilities are particularly dangerous because they can lead to various forms of attack, including:

  • Information Disclosure: Attackers can access sensitive files like configuration files or system logs.
  • Remote Code Execution: If an attacker can include files that contain malicious code, they may execute arbitrary commands on the server.
  • Privilege Escalation: Accessing critical files or system information could allow attackers to escalate their privileges on the server.

Setting Up the Testing Environment

To demonstrate how LFI works and how it can be exploited, we will use the DVWA (Damn Vulnerable Web Application) hosted on Metasploitable2. DVWA is an intentionally vulnerable web application designed for security testing and learning purposes. Metasploitable2 is a vulnerable virtual machine used to simulate real-world security issues.

  • Accessing DVWA: Start by navigating to the DVWA login page hosted on the Metasploitable2 virtual machine. In this case, the DVWA lab can be accessed through the URL: http://192.168.148.139/dvwa/login.php.
  • Logging In: Once logged in with valid credentials, set the security level of the DVWA application to low to make it easier to exploit vulnerabilities for testing purposes.
  • Accessing the File Inclusion Vulnerability: After setting the security level, navigate to the File Inclusion button located on the left sidebar of the DVWA interface. This will direct you to the vulnerable page: http://192.168.148.139/dvwa/vulnerabilities/fi/?page=include.php.

How Local File Inclusion Works

The key element in an LFI vulnerability is the page parameter used in the URL. The page parameter is designed to specify which file to include in the web page’s output. For example:

http://192.168.148.139/dvwa/vulnerabilities/fi/?page=include.php

Understanding-Local-File-Inclusion-(LFI)-in-Web-Apps-1

Here, the include.php file is included in the output of the application. However, if the application does not properly sanitize user input, an attacker could manipulate the page parameter to include files from other locations on the server.

Exploiting LFI with Directory Traversal

In our case, we can exploit the LFI vulnerability by using directory traversal characters (../) in the page parameter. These characters allow us to move up the directory structure and access files located outside the root directory of the web application.

The payload for this attack is:

../../../../../etc/passwd

This payload attempts to traverse up the directory structure (moving up five levels) and access the /etc/passwd file, which contains user account information on Unix-based systems. The resulting URL would be:

http://192.168.148.139/dvwa/vulnerabilities/fi/?page=../../../../../etc/passwd

Understanding-Local-File-Inclusion-(LFI)-in-Web-Apps-2

When this URL is accessed, the application will attempt to include the passwd file from the /etc directory, which is outside the web application’s root folder. If the application does not sanitize the input, the file will be included, and its contents will be displayed on the page.

What Happens When LFI is Exploited?

In this case, accessing the /etc/passwd file allows us to view sensitive information about user accounts on the system. The contents of the passwd file might look like this:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

This file contains user details, including usernames, user IDs, group IDs, home directories, and shell information. While /etc/passwd itself does not contain passwords (they are stored in /etc/shadow), this file can still provide valuable information for attackers attempting to escalate privileges or gain unauthorized access.

Mitigation Techniques

To prevent LFI vulnerabilities, web developers should implement proper input validation and file inclusion restrictions. Here are some key mitigation strategies:

  • Validate User Input: Always sanitize and validate user input, especially when it is used to access files. Avoid directly using user-supplied data in file paths.
  • Use Absolute Paths: Avoid using relative paths in file inclusion functions. Use absolute paths to ensure files are only included from trusted locations.
  • Disable URL Parameters for File Inclusion: If file inclusion is not required for the application, it is best to disable or restrict access to the functionality that uses the page parameter.
  • Web Application Firewalls (WAFs): Use WAFs to block common malicious payloads and requests associated with LFI attacks.

Conclusion

Local File Inclusion (LFI) vulnerabilities pose a serious risk to web applications and can lead to information disclosure, system compromise, and remote code execution. In this article, we demonstrated how LFI can be tested and exploited using the DVWA lab on Metasploitable2. By using directory traversal and manipulating the page parameter, we were able to access sensitive files like /etc/passwd.

It is crucial for developers to secure their web applications by validating user input and implementing safeguards against LFI vulnerabilities.

Related Posts

How Command Execution/Injection Attacks Work

Web App Security By · April 23, 2025 · 0 Comment
How-Command-Execution-Injection-Attacks-Work-home
Introduction Command execution or injection attacks are a type of vulnerability that can compromise the security of web applications. These attacks allow malicious users to execute arbitrary commands on the server, often leading to unauthorized access to sensitive data or... Read more

Understanding XSS Attacks: Types, Demos & Prevention

Web App Security By · April 11, 2025 · 0 Comment
Cross-Site Scripting (XSS) is one of the most common vulnerabilities that web applications face today. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by others, which can lead to significant security risks such as data... Read more

Understanding File Upload Vulnerabilities in Web Applications

Web App Security By · March 26, 2025 · 0 Comment
Understanding-File-Upload-Vulnerabilities-in-Web-Applications-h
File upload functionality in web applications is a critical feature but can pose significant security risks if not properly implemented. One common vulnerability found in web applications is the file upload vulnerability, which attackers can exploit to gain unauthorized access,... Read more

How to Configure Burp Proxy and Browser for Security Testing

Web App Security By · March 19, 2025 · 0 Comment
Burp Suite is an essential tool for security professionals and ethical hackers, allowing them to intercept and analyze web traffic between a browser and a web server. One of its key features is the Burp Proxy, which intercepts HTTP(S) traffic... Read more

Burp Suite: Web Application Security Testing Tool

Web App Security By · March 12, 2025 · 2 Comments
Burp-Suite-Web-Application-Security-Testing-Tool
In today’s digital era, ensuring the security of web applications is more critical than ever. Cybersecurity threats like SQL Injection, Cross-Site Scripting (XSS), and other vulnerabilities pose significant risks to businesses and their users. One of the most effective tools... Read more

Common Sensitive Files Exposed in Web Apps

Web App Security By · March 10, 2025 · 2 Comments
Common-Sensitive-Files-Exposed-in-Web-Apps
In the world of web development and security, it is crucial to ensure that sensitive files are properly secured. Exposing sensitive files can significantly increase the vulnerability of your web application and provide attackers with valuable insights into the infrastructure,... Read more

Best Practices for Secure File Uploads in Web Apps

Web App Security By · March 10, 2025 · 0 Comment
Best-Practices-for-Secure-File-Uploads-in-Web-Apps-home
In modern web applications, file uploads are a fundamental feature, enabling users to share data such as images, documents, and videos. However, allowing file uploads also introduces significant security risks, as attackers can exploit vulnerabilities to execute malicious code, access... Read more

Uniscan : Web Vulnerability Scanner on Kali Linux

Web App Security By · March 4, 2025 · 0 Comment
uniscan
Uniscan is a powerful tool that helps users discover potential vulnerabilities in their websites, providing them with actionable insights to strengthen their security.In this article, we will take a detailed look at Uniscan, how it works, and how you can... Read more

Understanding HTTP Status Codes: A Comprehensive Guide

Web App Security By · February 3, 2025 · 0 Comment
Understanding-HTTP-Status-Codes-A-Comprehensive-Guide
In the world of web development, one of the most crucial components of a seamless user experience is the communication between servers and clients. This communication is facilitated by HTTP (Hypertext Transfer Protocol) status codes, which are numerical responses sent... Read more