Introduction

Modern web applications often rely on dynamic file loading to render content based on user interaction. While this improves flexibility and user experience, improper handling of user-supplied input can introduce critical vulnerabilities.

One such vulnerability is Local File Inclusion (LFI), which allows attackers to access sensitive files from the server's filesystem.

In this lab, I demonstrate how a simple filename parameter can be manipulated to perform path traversal and retrieve sensitive system files such as /etc/passwd.

Understanding Local File Inclusion (LFI)

Definition

Local File Inclusion (LFI) is a web vulnerability where an application includes files based on user-controlled input. If proper validation is missing, an attacker can manipulate the input to include unintended files from the server.

When to Test for LFI

LFI testing becomes relevant when:

  • A file-related parameter exists in the URL (e.g., filename=, file=, path=)
  • The application dynamically loads content from the server
  • User input directly influences file paths
  • Input is not properly validated or sanitized

LFI is typically tested during the active exploitation phase after identifying dynamic file inclusion behavior.

Objective of the Lab

The objective of this lab is to:

  • Identify a vulnerable file-loading parameter
  • Exploit path traversal to access sensitive system files
  • Confirm Local File Inclusion vulnerability
  • Understand how improper input handling leads to file disclosure

Prerequisites

Before starting the lab, ensure you have:

  • Burp Suite (Community Edition is sufficient)
  • Basic understanding of path traversal payloads
  • Browser configured to intercept HTTP requests

Common Payloads:

  • Linux:
../../../../../../etc/passwd
  • Windows:
..\..\..\..\windows\win.ini

Behaviour of the Application

The application provides a recipe selection feature where different recipes are loaded dynamically.

Upon selecting a recipe, the application uses a filename parameter in the URL to fetch content from the server.

This behavior indicates that user input directly controls file access.

Lab Interface

None

1 — Identify filename in the URL

When selecting a recipe in the lab, the browser address bar contains:

filename=tiramisu

This means the application loads local files based on this parameter.

None

2 — Capture the request in Burp Suite

In Burp → HTTP History → select the GET request → Send to Repeater.

None

3 — Replace the filename with a Linux path traversal payload

Edit line 1 in the request:

Replace:

filename=tiramisu.txt

With:

filename=../../../../../../etc/passwd

Send the request.

4 — Check the response

Scroll down in the response — you will see the content of /etc/passwd displayed in encoded form.

None

This confirms an LFI vulnerability, as the server is returning OS-level files.

✅ Result

✔ Sensitive system file successfully retrieved ✔ Path traversal payload executed successfully ✔ Server failed to validate file input

👉 This confirms the presence of a Local File Inclusion (LFI) vulnerability.

5 — Optional: fuzzing with Burp Intruder (Path Traversal enumeration)

Since the endpoint responds to traversal payloads, fuzzing can help enumerate more sensitive files.

Steps:

  1. Send request to Intruder
  2. Highlight traversal payload ../../../../../../etc/passwdAdd§
  3. Go to PayloadsAdd from list
  4. Select: Fuzzing — Path Traversal
  5. Start attack
  • This step requires Burp Suite Professional.

Why This Vulnerability Exists

LFI occurs due to:

  • Lack of input validation
  • Direct use of user input in file operations
  • Absence of path sanitization
  • No restriction on directory traversal sequences

Security Impact

In real-world applications, LFI can lead to:

  • Exposure of sensitive files (/etc/passwd, configuration files)
  • Disclosure of application source code
  • Credential leakage
  • Log file access
  • Potential escalation to Remote Code Execution (RCE)

Mitigation Strategies

To prevent LFI vulnerabilities:

  • Validate and sanitize user input
  • Use whitelisting for allowed files
  • Avoid direct file path usage from user input
  • Implement proper access controls
  • Use secure file handling functions
  • Disable directory traversal sequences (../)

Conclusion

This lab demonstrated how improper handling of file-based input can allow attackers to access sensitive files from the server.

By exploiting the filename parameter, we successfully performed path traversal and retrieved system-level data, confirming a Local File Inclusion vulnerability.

Understanding LFI is crucial, as it often serves as a stepping stone toward more advanced attacks such as Remote Code Execution.

Ethical Note

This lab was performed in a controlled and authorized environment for educational and cybersecurity research purposes only.

Web Security Series

This article is part of my ongoing Web Security Series, where I explore real-world web vulnerabilities through practical labs and hands-on testing.

Connect With Me

If you are interested in cybersecurity, penetration testing, or web security research, feel free to connect with me:

🔗 LinkedIn: https://www.linkedin.com/in/laibakashif0011