Our Scenarios


Local File Inclusion # 1

This lab shows step-by-step how to exploit a Local File Inclusion (LFI) on the Damn Vulnerable Web Application (DVWA) to retrieve sensitive information from the target. During this lab, the Security Level of the DVWA is set to Low.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is intentionally vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Why are Local File Inclusion weaknesses important?

Local File Inclusion (LFI) refers to a weakness where attackers rick the web application into including files (that should not be accessible via the web application) hosted on the system, as part of the web application. The consequences of a successful LFI attack can be devastating due to the fact that they could allow an attacker to retrieve the contents of sensitive files located on the server hosting the vulnerable web application, and in some cases Remote Code Execution (RCE).

What you will learn?

  • What is LFI
  • How to identify an LFI
  • How to exploit an LFI to retrieve sensitive information stored on the target system


  1. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Technical Details

This scenario contains one virtual machine. VPN Connection Required: Yes

Scenario Pre-requisites

In order to benefit from this scenario it is recommended you have competence in the following areas: 1. Basic understanding of the HTTP protocol 2. How web applications work behind the scenes 3. How to use an HTTP Intercepting Proxy

About the Author

Marios holds a BSc Computer Science degree from Northumbria University and an MSc degree in Cyber Security from the University of York. He is one of the OWASP Cyprus Chapter Leaders and he is passionate about web application security. He likes to spend his free time mastering his backgammon skills.