File Inclusion
Premium roomThis room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.
medium
To access material, start machines and answer questions login.
Introduction
File inclusion vulnerabilities let an attacker trick a web application into exposing, or even executing, files that were never meant to be accessible. The underlying weaknesses several categories in the Top 10 (opens in new tab). Path traversal falls under Broken Access Control (A01), file inclusion through unsanitised input maps to Injection (A03), and the server configurations that enable remote inclusion relate to Security Misconfiguration (A05). These vulnerabilities remain one of the most common flaws found in real-world web application assessments.
In this room, we'll walk through how file inclusion vulnerabilities work, why they happen, and how to exploit them in a controlled environment. We'll cover path traversal, Local File Inclusion (), and Remote File Inclusion (), working through practical labs along the way. By the end, we'll also look at how to prevent these vulnerabilities from appearing in your own code.
Learning Objectives
By the end of this room, you will be able to:
- Explain the difference between path traversal, , and
- Identify file inclusion entry points in a web application
- Exploit and vulnerabilities to read sensitive files and gain remote code execution
- Apply remediation techniques to prevent file inclusion vulnerabilities
Prerequisites
This room assumes a basic understanding of how URLs, parameters, and requests work. If you are not yet comfortable with these concepts, consider completing the How The Web Works module before continuing.
Ready to learn Cyber Security?
The File Inclusion room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in