Security Hub

Bring your software development workflows to security


Local File Inclusion

Signals & Triggers

On file system access
If user input matched in file access command


  • prevent command execution prevent command execution
  • block incoming http request block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace


Sqreen prevents attackers from accessing the server’s file system to perform Local File Inclusion attacks.

Let’s say we have the following payload:

    "image": "myImage.jpg"

This results in the following call: open('imgs/user1/myImage.jpg'). It would allow a user to legitimally access an image through the web server.

A malicious attacker would try to abuse this by crafting a payload:

    "image": "../user2/hiImage.jpg"

This would result in the following call: open('imgs/user1/../user2/hisImage.jpg'), giving access to someone’s else images to the attacker.

The same approach can be used to execute arbitrary code if the LFI happens in a module inclusion (include in PHP, require in NodeJS, etc).

Advanced details

When an HTTP request triggers a file access, this plugin triggers on the following conditions:

  • the path starts at the root filesystem (/ on UNIX systems) and if the whole path is injected by the user
  • the user input traverse back to the root filesystem of the server (the attacker was able to inject a ../ in the path)

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen


No data collected

On attack
  • Request payload
  • Stack trace
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json


// This should be the first line of your app


$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s | bash

$ apt-get install --no-install-recommends sqreen-agent sqreen-php-extension

$ /usr/lib/sqreen/sqreen-installer config {your token}

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini


# Insert at the top of your app file (typically or

import sqreen


$ curl -o sqreen-latest-all.jar


// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo