Web Security Series #17 — Exploiting Local File Inclusion (LFI) Using ffuf

Introduction

Local File Inclusion (LFI) remains one of the most common vulnerabilities in web applications that rely on dynamic file loading. While manual testing techniques using tools like Burp Suite are effective, automation tools can significantly improve efficiency during exploitation.

In this lab, I demonstrate how ffuf (Fuzz Faster U Fool) can be used to efficiently identify and exploit an LFI vulnerability by fuzzing file paths and analyzing response patterns.

This approach highlights how automation enhances vulnerability discovery during real-world penetration testing.

Understanding Local File Inclusion (LFI)

Definition

Local File Inclusion (LFI) occurs when an application uses user-controlled input to include files from the server without proper validation. By manipulating file path parameters, an attacker can access sensitive system files such as:

/etc/passwd

/etc/passwd

When to Use This Technique

This approach is useful when:

• A file-related parameter is identified (filename=, file=, path=)
• Manual testing is slow or ineffective
• Large-scale payload testing is required
• You want to automate discovery of valid file paths

In this lab, instead of relying on manual fuzzing, we leverage ffuf to automate the process.

Objective of the Lab

The goal of this lab is to:

• Identify an LFI vulnerability
• Automate path traversal testing using ffuf
• Filter noise from responses
• Detect valid file inclusions through response analysis
• Successfully retrieve sensitive system files

Prerequisites

• Burp Suite (for request capture and testing)
• ffuf (for automated fuzzing)
• Basic understanding of path traversal payloads

Behaviour of the Application

The application loads recipe files dynamically based on user selection.

When a recipe is selected, the backend fetches a corresponding file using a parameter, making it a potential entry point for file inclusion attacks.

Lab Interface

1. Capture Request and Prepare FUZZ Point

We first open the chocolate cake recipe page.

Then, from Burp Suite → HTTP History, we save the request(using "copy to file") as request.txt.

Next, open request.txt in a text editor:

• Replace chocolate_cake.txt with FUZZ
• (this is where ffuf will inject payloads)

2. Initial ffuf Scan

Run:

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

This gives many results with Words: 19, so we filter them out.

3. Filter Out Common Responses

Run:

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19

This gives many results with Words: 20

We copy the highlighted payload and test it in Burp Repeater

but it still shows invalid results.

4. Filter Multiple Word Counts

Since Words:20 is also common, run:

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19,20

ffuf -request request.txt -request-proto http -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 19,20

During this scan, one result suddenly shows a much larger Size = 922 — this is suspicious and worth testing.

5. Test the Successful Payload

Copy the payload corresponding to Size: 922.

Test it in Burp Repeater.

Result

• Response contains system file content
• Successful retrieval of:

/etc/passwd

/etc/passwd

✅ Final Result

✔ Successfully identified LFI vulnerability ✔ Automated discovery using ffuf ✔ Retrieved sensitive system file /etc/passwd ✔ Confirmed improper input validation

Why This Vulnerability Exists

This vulnerability occurs due to:

• Lack of input validation
• Direct usage of user input in file operations
• No filtering of path traversal sequences
• Absence of response anomaly detection

Security Impact

In real-world scenarios, LFI can lead to:

• Exposure of sensitive files
• Credential leakage
• Application source code disclosure
• Log file access
• Potential escalation to Remote Code Execution (RCE)

Mitigation Strategies

To prevent LFI vulnerabilities:

• Validate and sanitize all user input
• Use strict whitelisting for allowed files
• Avoid direct file path inclusion
• Implement proper access controls
• Disable directory traversal patterns (../)
• Monitor abnormal response sizes and patterns

Conclusion

This lab demonstrated how automation tools like ffuf can significantly enhance vulnerability discovery by efficiently fuzzing file paths and identifying anomalies in server responses.

By combining manual testing (Burp Suite) with automated fuzzing, we successfully identified and exploited an LFI vulnerability.

Understanding this approach is essential for modern penetration testing, where speed and accuracy are critical.

Ethical Note

This lab was performed in a controlled and authorized environment for educational and cybersecurity research purposes only.

Web Security Series

This article is part of my ongoing Web Security Series, where I explore real-world web vulnerabilities through practical labs and hands-on testing.

Connect With Me

If you are interested in cybersecurity, penetration testing, or web security research, feel free to connect with me:

🔗 LinkedIn: https://www.linkedin.com/in/laibakashif0011