Remote file inclusion (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications. This vulnerability is mainly due to inadequate input validation, which allows the user’s input to be passed to the “file include” commands without proper validation. When web applications take user input (URL, parameter value, etc.) and pass them into “file include” commands, the web application can be tricked into including remote files with malicious code, which can then run on either the server or clients.
Remote file inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application can be vulnerable to remote file inclusion attacks.