Ever since Hakin9 stopped being carried at Barnes & Noble, it’s been pretty persona non grata to me (I would read it for free over lunches spent at B&N). But I see it’s still alive with an article titled, “Web Application Penetration Testing: Local File Inclusion (LFI) Testing.” Is this the definitive guide? No, but it’s surprisingly useful and covers plenty of bases. Also uses DVWA for examples, meaning you can do some follow-alongs.
I do want to point out the php://filter/convert.base64-encode/resource=/etc/passwd section. This is highly useful if output of files isn’t very pretty, usually meaning carriage returns are not displayed properly. Outputting into base64 and then decoding it means things like long config files aren’t hell to read.