Overview
Basic Local File Inclusion focuses on a page-loading workflow where user-controlled input affects which local file the application reads.
This lab introduces the local file inclusion pattern through a common web routing mistake: treating a requested resource name as safe without constraining it to an intended directory or allowlist.
Security Impact
Local file inclusion can expose configuration files, source code, logs, environment details, or sensitive values readable by the web application process. In some environments, it can also support further compromise when included files are interpreted by the application runtime.
Vulnerability Scope
Template loaders, language selectors, help pages, error pages, download handlers, and custom routing logic are risky when request parameters map too directly to filesystem paths.
Lab Focus
The lab focuses on unsafe file path handling, why path normalization alone is not enough, and how allowlisted resources create a clearer file access boundary.
Related Labs
Related trainings
