DE

Testing for Local File Inclusion

Crashtest Security Suite is automated cyber security software that scans your web pages for vulnerabilities in local file inclusion and other issues (RFI).

  • Scan for LFI and RFI vulnerabilities and everyone in OWASP Top Ten
  • Supports for Multi-Page, Single-page applications (SPAs), APIs, JavaScript frameworks & more
  • Get security reports and remediation advice for every exposure found
Hirmer
Alltron
Flixbus
Instana
Ottonova
Atoss
Acrolinx
Netfonds

Features

LFI scanner features

Although Local File Inclusion vulnerabilities usually are easy to address, discovering them in huge codebases may be difficult without the correct tools.

Our black-box penetration testing tool will let you discover every vulnerability your web application could have.

Crashtest Security works with no information about your system, precisely as a hacker would do. Still, in this case, you have the opportunity to save money and time on running security manual tests.

Create

Create and verify your scan target.

1

Configure

Configure the credentials for the system and the application.

2

CI integration

Create a webhook and start a scan via the CI Integration.

3

Get notifications

Integrate a chat notification system (Slack, Mattermost, Hangouts, and many more.)

4

Download the report

Get reports with remediation guidance, risk assessments, and solutions for every vulnerability discovered.

5

Benefits

LFI scanner benefits

  • Share vulnerability reports with your team – in PDF, XML/JSON, or CSV formats
  • OWASP Top 10 listed vulnerabilities scanner – Identifies possible attack vectors in your web application, API, or microservices.
  • Constant Transparency – Enjoy our real-time reporting on all web application deployments – top line or in-depth.
  • High-grade testing – HTML-based web applications, JavaScript, AJAX, HTML5, Multi-Page and Single-Page Applications, and APIs.
  • GDPR compliance – Ensure state-of-the-art PII-related vulnerability testing for every release.

Reports

Ample local file inclusion report

Vulnerability overview

The LFI report begins with a high-level overview of the data breaches found in your scan target, including their magnitude and consequences. There’s a summary of every local file inclusion attack vector and additional security information

Remediation advice

Suggestions for remedial work: Each exposure is accompanied by a risk rating, description, and step-by-step directions for resolving the issue.

FAQ

Local File Inclusion

What is file inclusion?

PHP File Inclusion is a web application security issue that permits unauthorized users to access files, perform downloads, search for information, etc. As described by OWASP, it allows an attacker to include a file by attacking the target application’s “dynamic file inclusion” techniques. The flaw arises from the usage of user-supplied data that hasn’t been appropriately validated.

File inclusion flaws are a golden opportunity for hackers. While various protective procedures are in place to address such flaws, a single positive operation may compromise your mission-critical data and put your organization at risk.

What is local file inclusion?

Local File Inclusion (LFI) is a web browser option that enables an attacker to include files on a server. When a web application contains a file before correctly filtering the input, this vulnerability occurs, allowing an attacker to modify the input, insert jump characters from the route, and provide other files from the webserver. It typically affects PHP applications.

What are the risk of local file inclusion vulnerability?

LFI is harmful, particularly when combined with additional issues, such as the ability of an attacker to submit malicious files to the server. Even if the attacker cannot upload files, they can take control of the entire server or access sensitive information by combining the LFI weakness with a directory traversal flaw. The consequences could include information disclosure or remote code execution as well.

How to prevent local file inclusion vulnerabilities?

Preventing files’ addition based on user input is a great way to stop Local File Inclusion (LFI) vulnerabilities. But if it is not achievable, the app should keep a registry of files that could be included to restrict the cyber attacker’s ability to control what is included.