LFI Vulnerability Scanner

Local file inclusion (LFI) vulnerabilities are critical security issues within web applications since successful exploitation of such a vulnerability may lead to remote code execution (RCE). Alternatively, they can be used to steal sensitive information through directory traversal. An LFI vulnerability allows an attacker to locally include a file hosted on the web server (usually a malicious file being uploaded). Once successfully carrying out their inclusion attack, the attacker would typically try to obtain a reverse shell, which provides them with a command line session where arbitrary commands can be executed. LFI vulnerabilities are usually not difficult to fix, but finding them in large codebases could be challenging without the right tools. Acunetix is a web application vulnerability scanner which, in addition to LFI, can check for RFI vulnerabilities and other file inclusion bugs, as well as Cross-site Scripting (XSS), SQL Injection (SQLi), and a myriad of other vulnerabilities and misconfigurations across thousands of web pages.

The Acunetix LFI scanner tests for both local file inclusion (LFI) and remote file inclusion (RFI). While many file inclusion vulnerability scanners can find low-hanging file inclusion, Acunetix goes well beyond the basics thanks to its advanced crawler and JavaScript engine called DeepScan. Thanks to DeepScan, Acunetix also has full support for modern single-page applications (SPAs) and can understand and fully test applications that rely on JavaScript frameworks.

In addition to being a fully automated black box scanner (no knowledge of backend code), Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET, and PHP applications that can easily be deployed on the application backend to analyse source code while it is in execution by the scanner, giving even more accurate results and even fewer false positives.