These docs are for v1.1. Click to read the latest docs for v1.2.

Remote File Inclusion (RFI)

Severity: High
Test name: Remote File Inclusion (RFI)

Remote File Inclusion is an attack applicable to web applications that dynamically include external files or scripts. When such web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code. As a result, the malicious code can be downloaded and executed on the server with the privileges of the current web server user.


This vulnerability allows an attacker to:

  • Execute an unauthorized code on the server side application
  • Execute an unauthorized code on the client side application
  • Gain sensitive information
  • Crash the server
Basic example of Remote File Inclusion (PHP)
  1. Server side code:
    $file = 'form.php';
    if (isset($_REQUEST['file'])) {
        $file = $_REQUEST['file'];
    include $file;
2. Request:
3. Content of <i>"malicious_code.php"</i>
<?php var_dump(include('../config/db.php'));
  1. As a result, the attacker can steal the configuration of the database.
  • The issue can be found in the source code on the server side.
  • The issue can be found in the source code on the client side.
Remedy suggestions
  • The most effective solution is to avoid passing user-submitted input to any file system / framework API.
  • If you have a limited number of the allowed files to include, all of them can be stored as corresponding records in long time storage (for example, database) with specific identifiers. Such identifiers can be used as the request parameters to identify and include only allowed files.
  • If it is not possible to list the allowed files, and user input cannot be avoided, ensure that the supplied values are valid. Sanitize the input by creating a list of trusted files. Use the “whitelist” approach.
  • CWE-98
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L