RFI Vulnerability Scanner

Crashtest Security Suite is an automated scanner tool that checks for Remote File Inclusion Vulnerability and Local File Inclusion Vulnerability quickly and easily.

  • Scan for RFI and LFI vulnerabilities
  • Detect OWASP Top 10 vulnerabilities (XSS, SQL injections, XXE, and many more)
  • Get security reports and remediations advice


RFI scanner features

By running security tests on your web application, the RFI scanner looks for Remote File Inclusion Vulnerabilities. Our solution is known as automated pentest software or DAST. We focus on working the same way a human cybersecurity expert would do. In this case, however, the results are faster and less expensive than manual pen-testing. You don’t need to spend hours searching for your vulnerabilities. It takes less than 5 minutes to:


Create and verify your scan target.



Configure the credentials for the system and the application.


CI integration

Create a webhook and start a scan via the CI Integration.


Get notifications

Integrate a chat notification system (Slack, Mattermost, Hangouts, and many more.)


Download the report

Get reports with remediation guidance, risk assessments, and solutions for every vulnerability discovered.



RFI scanner benefits

  • Share vulnerability reports in PDF, XML/JSON, or CSV formats with your team.
  • Check for other flaws, such as those on the OWASP Top 10 list for 2021.
  • Limit the damage loss and protect your users from the vast increase in cyber breaches.
  • Test HTML-based web apps, JavaScript, AJAX, HTML5, Multi-Page and Single-Page Applications, and APIs.
  • Easily integrate into your development pipeline and workflow.


Ample remote file inclusion report

The RFI report is a sophisticated tool that gives you full details about your cybersecurity posture. Check out how to correct what’s failing and save manual testing effort and money on cyber defense.

Vulnerability overview

The report starts with a high-level overview of the data breaches in your scan target, including the severity of the threats and their effects. You’ll find a list of every remote file inclusion attack vector and other security details.

Remediation suggestions

Each discovered vulnerability comes with risk classification, description, and detailed instructions for how to fix the problem.



What is file inclusion?

An attacker can include arbitrary files into the web application via a local or remote file inclusion, exposing sensitive files. Occasionally, the attacker can run malicious code on the webserver and completely seize control of the system.

Attackers can use them to gain access to other connected systems, resulting in application downtime and data loss. As a result, it is critical to comprehend the nature of these attacks and how they might be avoided.

What is remote file inclusion?

An attacker can utilize remote file inclusion (RFI) to have a web application include a remote file. For web apps that dynamically integrate external files or scripts. A successful RFI attack can result in sensitive information leakage, Cross-site Scripting (XSS), remote code execution, and full system control in the worst-case scenario.

What is the difference between remote and local file inclusion?

An attacker can use remote file inclusion (RFI) to have a web application include a remote file. This is conceivable for web apps that dynamically integrate external files or scripts.

How to prevent File Inclusion vulnerability?

  • Never include files straight from user-modifiable variables.
  • Validate user input. The easiest method to avoid this issue is to hardcode any files you need to include. Nevertheless, maintaining a whitelist of files authorized to be included may be better. Any other file requested by the user may be denied.
  • Avoid Remote File Inclusion. If you do not need the inclusion of remote files, you can set “allow_url_include=off” in your php.ini file to disable the inclusion of remote files.