Which web application attack type is more severe: Local File Inclusion (LFI) or Code Excution? Most people would say the latter as the majority of threat modeling excercises assign LFI attacks/vulnerabilities a lower severity rating. Successful LFI attacks normally result in information or data leakages as the attackers are able to access existing files but not create them. Code execution attacks, on the other hand, allow the attacker to run commands on your system as if they had local access on a command prompt. The result is that LFI attacks and vulnerabilities may not be given a high priority designation from a remediation perspective. In this blog post, I will show an LFI attack that we have seen that demonstrates how attackers can turn LFI attacks into Code Execution attacks.