Security Hub

Bring your software development workflows to security


Local File Inclusion

Signals & Triggers

On file system access
If user input matched in file access command


  • prevent command execution Prevent command execution
  • block incoming http request Block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace


Sqreen prevents attackers from accessing the server’s file system to perform Local File Inclusion attacks.

Let’s say we have the following payload:

    "image": "myImage.jpg"

This results in the following call: open('imgs/user1/myImage.jpg'). It would allow a user to legitimally access an image through the web server.

A malicious attacker would try to abuse this by crafting a payload:

    "image": "../user2/hiImage.jpg"

This would result in the following call: open('imgs/user1/../user2/hisImage.jpg'), giving access to someone’s else images to the attacker.

The same approach can be used to execute arbitrary code if the LFI happens in a module inclusion (include in PHP, require in NodeJS, etc).

Advanced details

When an HTTP request triggers a file access, this plugin triggers on the following conditions:

  • the path starts at the root filesystem (/ on UNIX systems) and if the whole path is injected by the user
  • the user input traverse back to the root filesystem of the server (the attacker was able to inject a ../ in the path)

Language support

  • Python
  • Node.js
  • PHP
  • Java

Data collected by Sqreen

No data collected

On attack
  • Request payload
  • Stack trace
  • Attacker IP
  • Attacker account (Sqreen SDK)

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Free Trial Request demo