Over a million developers have joined DZone.

What Is Remote File Inclusion (RFI)?

DZone's Guide to

What Is Remote File Inclusion (RFI)?

Read on to learn what exactly Remote File Inclusion means and how to prevent it, as well as to see an example of code that is vulnerable to RFI attacks.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Remote File Inclusion (RFI) refers to an inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web application that dynamically includes external files or scripts. The consequences of a successful RFI attack include Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

Remote File Inclusion (RFI) usually occurs, when an application receives the path to the file that has to be included as an input without properly sanitizing it. This would allow an external URL to be supplied to the included statement.

The following is an example in PHP that is vulnerable to Remote File Inclusion (RFI).

* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
$file = $_GET['file'];

* Unsafely include the file
* Example - filename.php

In the above example, an attacker could make the following request to trick the application into executing a malicious script such as a webshell.


In this example, the remote file will be included and run with the user privileges the web application is running. That would allow an attacker to run any code they wanted on the web server, including writing files to gain persistence on the web server.

Preventing Remote File Inclusion (RFI) Vulnerabilities

The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.

Additionally, in the case of PHP, most modern PHP configurations are configured with allow_url_include set to off, which would not allow malicious users to include remote files. This being said, Local File Inclusion (LFI) would still be possible.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,remote file inclusion ,vulnerabilites ,attacks

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}