A web application is vulnerable to file inclusion attacks, allowing users to upload files or submit input. Which statement correctly describes the types of file inclusion attacks and their potential impacts?

File inclusion vulnerabilities happen when a web application uses user-supplied input to build a file path and then includes that file for processing. Local File Inclusion pulls in files from the server itself, while Remote File Inclusion fetches a file from an attacker-controlled URL and includes its contents. Both paths can lead to serious impacts. Data exfiltration is possible because an attacker can route the inclusion to read sensitive files the app has access to, such as configuration files or credentials, and relay that data back to the attacker. Arbitrary code execution is a major risk because if the included file contains executable code or if an attacker uses special payloads (for example, crafted local files or URL-wrappers) that are interpreted by the server, the attacker can run commands on the server. Remote File Inclusion is particularly threatening for RCE since the server fetches and executes code directly from a remote location under the attacker’s control. Local File Inclusion can also lead to code execution in scenarios where the server processes a locally included file that contains executable code or when the attacker leverages special wrappers to execute code from local files. Once code execution is achieved, creating a web shell becomes feasible—a lightweight program that provides the attacker with a remote command interface, enabling persistence, further exploitation, and ongoing control of the compromised server. In short, both local and remote file inclusion can enable data exfiltration, arbitrary code execution, and the deployment of web shells, making the stated answer the best description of these attack types and their potential impacts.