Client-Side LFI Payload Tester

Test Local File Inclusion (LFI) payloads in a simulated environment

Test Configuration

Simulated Vulnerable Endpoint

This simulates the vulnerable endpoint that includes files

Operating System

Base Directory

LFI Payloads (one per line)

Test Results

No results yet. Start a test to see payload results.

Understanding LFI Vulnerabilities

What is Local File Inclusion (LFI)?

Local File Inclusion (LFI) is a vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability occurs when a web application includes a file without properly sanitizing the input, allowing attackers to manipulate the parameter and include arbitrary files from the local system.

Common LFI Attack Vectors

Directory Traversal: Using ../ sequences to navigate up directory levels
URL Encoding: Encoding special characters to bypass filters (%2e%2e%2f = ../)
Double Encoding: Applying URL encoding twice to bypass security filters
PHP Wrappers: Using php://filter to read source code or other PHP wrappers
Null Byte Injection: Using %00 to terminate strings in older PHP versions

Prevention Techniques

Implement proper input validation and sanitization
Use whitelists for allowed files instead of directly using user input
Avoid using file inclusion functions with user-supplied input
Implement proper access controls for sensitive files
Keep software and frameworks updated to patch known vulnerabilities

Learning Resource: This tool simulates a simplified version of how web servers resolve paths. Real servers may have additional security measures or different path resolution logic.