Web Security Series # 16— Exploiting Local File Inclusion (LFI)

Introduction

Modern web applications often rely on dynamic file loading to render content based on user interaction. While this improves flexibility and user experience, improper handling of user-supplied input can introduce critical vulnerabilities.

One such vulnerability is Local File Inclusion (LFI), which allows attackers to access sensitive files from the server's filesystem.

In this lab, I demonstrate how a simple filename parameter can be manipulated to perform path traversal and retrieve sensitive system files such as /etc/passwd.

Understanding Local File Inclusion (LFI)

Definition

Local File Inclusion (LFI) is a web vulnerability where an application includes files based on user-controlled input. If proper validation is missing, an attacker can manipulate the input to include unintended files from the server.

When to Test for LFI

LFI testing becomes relevant when:

A file-related parameter exists in the URL (e.g., filename=, file=, path=)
The application dynamically loads content from the server
User input directly influences file paths
Input is not properly validated or sanitized

LFI is typically tested during the active exploitation phase after identifying dynamic file inclusion behavior.

Objective of the Lab

The objective of this lab is to:

Identify a vulnerable file-loading parameter
Exploit path traversal to access sensitive system files
Confirm Local File Inclusion vulnerability
Understand how improper input handling leads to file disclosure

Prerequisites

Before starting the lab, ensure you have:

Burp Suite (Community Edition is sufficient)
Basic understanding of path traversal payloads
Browser configured to intercept HTTP requests

Common Payloads:

Linux:

../../../../../../etc/passwd

../../../../../../etc/passwd

Windows:

..\..\..\..\windows\win.ini

..\..\..\..\windows\win.ini

Behaviour of the Application

The application provides a recipe selection feature where different recipes are loaded dynamically.

Upon selecting a recipe, the application uses a filename parameter in the URL to fetch content from the server.

This behavior indicates that user input directly controls file access.

Lab Interface

1 — Identify filename in the URL

When selecting a recipe in the lab, the browser address bar contains:

filename=tiramisu

filename=tiramisu

This means the application loads local files based on this parameter.

2 — Capture the request in Burp Suite

In Burp → HTTP History → select the GET request → Send to Repeater.

3 — Replace the filename with a Linux path traversal payload

Edit line 1 in the request:

Replace:

filename=tiramisu.txt

filename=tiramisu.txt

With:

filename=../../../../../../etc/passwd

filename=../../../../../../etc/passwd

Send the request.

4 — Check the response

Scroll down in the response — you will see the content of /etc/passwd displayed in encoded form.

This confirms an LFI vulnerability, as the server is returning OS-level files.

✅ Result

✔ Sensitive system file successfully retrieved ✔ Path traversal payload executed successfully ✔ Server failed to validate file input

👉 This confirms the presence of a Local File Inclusion (LFI) vulnerability.

5 — Optional: fuzzing with Burp Intruder (Path Traversal enumeration)

Since the endpoint responds to traversal payloads, fuzzing can help enumerate more sensitive files.

Steps:

Send request to Intruder
Highlight traversal payload ../../../../../../etc/passwd → Add§
Go to Payloads → Add from list
Select: Fuzzing — Path Traversal
Start attack

This step requires Burp Suite Professional.

Why This Vulnerability Exists

LFI occurs due to:

Lack of input validation
Direct use of user input in file operations
Absence of path sanitization
No restriction on directory traversal sequences

Security Impact

In real-world applications, LFI can lead to:

Exposure of sensitive files (/etc/passwd, configuration files)
Disclosure of application source code
Credential leakage
Log file access
Potential escalation to Remote Code Execution (RCE)

Mitigation Strategies

To prevent LFI vulnerabilities:

Validate and sanitize user input
Use whitelisting for allowed files
Avoid direct file path usage from user input
Implement proper access controls
Use secure file handling functions
Disable directory traversal sequences (../)

Conclusion

This lab demonstrated how improper handling of file-based input can allow attackers to access sensitive files from the server.

By exploiting the filename parameter, we successfully performed path traversal and retrieved system-level data, confirming a Local File Inclusion vulnerability.

Understanding LFI is crucial, as it often serves as a stepping stone toward more advanced attacks such as Remote Code Execution.

Ethical Note

This lab was performed in a controlled and authorized environment for educational and cybersecurity research purposes only.