The behavior described—manipulating request parameters so the application retrieves and exposes files from the server’s local directories—is characteristic of Local File Inclusion (LFI). LFI occurs when an application uses user-controllable input to construct a file path (often for templates, language files, includes, or uploads) and fails to properly validate or constrain it. An attacker can then supply values such as relative path traversal sequences to force the application to access unintended local resources, leading to disclosure of sensitive files (configuration files, credentials, keys, environment files) and sometimes further impact depending on context.

In the scenario, Sophia is testing a “template upload feature,” then “modifying the input parameters in an upload request” to “trick the application into retrieving sensitive files from the server’s local directories,” allowing her to view internal configuration files. That is a textbook LFI outcome: unauthorized read access to local files through a web interface, caused by improper input validation and insecure file path handling.

Why the other options are less accurate:

Insecure deserialization (A) involves unsafe processing of serialized objects, often leading to remote code execution; it is not about retrieving local files via path manipulation.

Cookie poisoning (B) is tampering with cookie values to escalate privileges or alter application behavior; it does not inherently explain local file retrieval.

File injection (C) is a broader term and can refer to multiple file-related abuses, but the specific pattern of including or reading local files via parameters is most precisely labeled Local File Inclusion.

Therefore, the correct answer is D. Local File Inclusion.