Episode 92: Local/Remote File Inclusion (LFI/RFI)
Sometimes attackers don’t need to upload malicious files—they just need to include them. In this episode, we explore Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities, which allow attackers to manipulate file paths in application inputs and force systems to load unintended or external code. You’ll learn how LFI can be used to read sensitive server-side files, and how RFI opens the door for full remote code execution.
We also cover common exploit techniques, such as null byte injection and PHP wrappers, and walk through ways to mitigate these flaws through strict input validation, allowlists, and isolation of executable directories. CySA+ regularly tests awareness of LFI and RFI in web applications and server configurations—making this episode essential listening for any aspiring analyst or secure code reviewer. Brought to you by BareMetalCyber.com
