As the name suggests, this vulnerability can be exploited by including a file in the URL (by entering the path). The file that was included can be local to the server, and thus be called Local File Inclusion, or it (the path of the file) can point to a remote file, and thus be called a Remote File Inclusion.

Modern programming languages and web servers have built-in mechanisms to protect against this flaw. Unfortunately, in real life, you will encounter a lot of applications developed by legacy programming languages such as JSP (Java), ASP (Microsoft), and PHP, so the chance of finding a similar vulnerability is still there. One problem that can cause this issue is when the developer forgets to include a validation on the server side.