Testing for Local File Inclusion

Crashtest Security Suite is automated cyber security software that scans your web pages for vulnerabilities in local file inclusion and other issues (RFI).

  • Scan for LFI and RFI vulnerabilities and everyone in OWASP Top Ten
  • Supports for Multi-Page, Single-page applications (SPAs), APIs, JavaScript frameworks & more
  • Get security reports and remediation advice for every exposure found
  • Automated online SaaS LFI testing


LFI scanner features

Although Local File Inclusion vulnerabilities usually are easy to address, discovering them in huge codebases may be difficult without the correct tools.

Our black-box penetration testing tool will let you discover every vulnerability your web application could have.

Crashtest Security works with no information about your system, precisely as a hacker would. Still, in this case, you have the opportunity to save money and time on running security manual tests.


Create and verify your scan target.



Configure the credentials for the system and the application.


CI integration

Create a webhook and start a scan via the CI Integration.


Get notifications

Integrate a chat notification system (Slack, Mattermost, Hangouts, and many more.)


Download the report

Get reports with remediation guidance, risk assessments, and solutions for every vulnerability discovered.



LFI scanner benefits

  • Share vulnerability reports with your team – in PDF, XML/JSON, or CSV formats
  • OWASP Top 10 listed vulnerabilities scanner – Identifies possible attack vectors in your web application, API, or microservices.
  • Constant Transparency – Enjoy our real-time reporting on all web application deployments – top line or in-depth.
  • High-grade testing – HTML-based web applications, JavaScript, AJAX, HTML5, Multi-Page and Single-Page Applications, and APIs.
  • GDPR compliance – Ensure state-of-the-art PII-related vulnerability testing for every release.


Ample local file inclusion report

Vulnerability overview

The LFI report begins with a high-level overview of the data breaches found in your scan target, including their magnitude and consequences. There’s a summary of every local file inclusion attack vector and additional security information

Remediation advice

Suggestions for remedial work: Each exposure is accompanied by a risk rating, description, and step-by-step directions for resolving the issue.

Continuous Security

More reasons for continuous local file inclusion testing

Automated Pentesting

Perform regular black box pentests on your web assets and spend less on infrequent manual penetration tests.

Cybersecurity Risk Reduction

Benchmark your next release against OWASP Top 10 and other known vulnerabilities.

Schedule Scans

Match vulnerability scanning to your agile dev cycle.

Ensure Compliance

Scan every new release before deployment and ensure compliance with regulations and standards (HIPAA, GDPR, ISO, and many more).

Faster Vulnerability Detection

Detect and mitigate vulnerabilities quicker by scanning your web assets regularly.

Integrated Dev Pipeline

Integrate vulnerability scanning into your dev process and environment and shift security left.


Local File Inclusion

What is file inclusion?

PHP File Inclusion is a web application security issue that permits unauthorized users to access files, perform downloads, search for information, etc. As described by OWASP, it allows an attacker to include a file by attacking the target application’s “dynamic file inclusion” techniques. The flaw arises from the usage of user-supplied data that hasn’t been appropriately validated.

File inclusion flaws are a golden opportunity for hackers. While various protective procedures are in place to address such flaws, a single positive operation may compromise your mission-critical data and put your organization at risk.

What is local file inclusion?

Local File Inclusion (LFI) is a web browser option that enables an attacker to include files on a server. When a web application contains a file before correctly filtering the input, this vulnerability occurs, allowing an attacker to modify the input, insert jump characters from the route, and provide other files from the webserver. It typically affects PHP applications.

What are the risk of local file inclusion vulnerability?

LFI is harmful, particularly when combined with additional issues, such as the ability of an attacker to submit malicious files to the server. Even if the attacker cannot upload files, they can take control of the entire server or access sensitive information by combining the LFI weakness with a directory traversal flaw. The consequences could include information disclosure or remote code execution as well.

How to prevent local file inclusion vulnerabilities?

Preventing files’ addition based on user input is a great way to stop Local File Inclusion (LFI) vulnerabilities. But if it is not achievable, the app should keep a registry of files that could be included to restrict the cyber attacker’s ability to control what is included.