SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
SecurityInfinity
ScannersCVE FeedPricingBug BountyTraining
Back to Overview
HIGH SEVERITYCWE-98: Local File Inclusion

Local File Inclusion (LFI)

LFI is a vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability occurs when an application includes a file without properly validating the input, allowing the attacker to manipulate the input and include any file on the web server.

Common Payloads

/etc/passwd
../../../../../../etc/passwd
....//....//....//....//etc/passwd
/etc/passwd%00
php://filter/convert.base64-encode/resource=config.php

How to Prevent?

  • Validate user input against an allow-list of files.
  • Store files in a database instead of on the filesystem when possible.
  • Use a filesystem path that is not accessible to the web server.
  • Use server-side functions that are not susceptible to file inclusion.
SecurityInfinity

Architecting the future of autonomous cybersecurity intelligence for a safer digital world.

Product

ScannersPricingBug BountyDocumentation

Resources

ResearchCybersecurityCVE DatabaseBlog

Training

Learning PathsHands-on LabsVulnerability TypesTech Blog

Company

About UsContact UsCEO's BlogPrivacy Policy
© 2026 SecurityInfinity. All rights reserved.
TermsPrivacyCookies