How to Prevent Local and Remote File Inclusion Attacks

Attack: File inclusion is needed for complex web application. However hackers use this functionality of file inclusion for inserting malicious code files in the web application and get access to server files and view its contents. This action done by hackers is called Local file inclusion or remote file inclusion depending on from where the file is being included.

LFI (Local File Inclusion): In LFI attacker tries to include local server files such as server configuration files, password files, etc. If the web application can successfully include the file in itself and shows the content in the file then it can be said that the particular web application is vulnerable to Local file inclusion.

RFI (Remote File Inclusion): RFI is similar to LFI the only difference is that in RFI the attacker tries to include remote files which are present in different web servers.

Impact: LFI (Local File Inclusion) and RFI (Remote File Inclusion) come under the category of code injection attacks. It is observed that web applications are 21% vulnerable of LFI and RFI. They are similar to XSS (Cross-site scripting) and are basically performed on websites using PHP.


  • Do not permit file paths to be appended directly.
  • Appropriate parsing of the GET or POST requests must be done on server side to filter out such malicious attacks.
  • As for php applications - You can disable allow_url_fopen from php.ini or .htaccess.php.ini allow_url_fopen = 'off' .htaccessphp_flag allow_url_fopen off.