SSI injection (Server-side Include) is a server-side exploit that lets an attacker send code into an application to be executed later, locally, by the web server. SSI injection attacks can only be successful when the web server permits SSI execution without proper validation.
SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do this, the web server analyzes SSI before supplying the page to the user. SSI Injection exploits a web application’s failure to sanitize user-supplied data before inserting the data into a server-side interpreted HTML file.
With an SSI injection attack, the attacker can access sensitive information such as password files, and execute shell commands. The SSI directives are injected in input fields and sent to the web server. The web server parses and executes the directives before supplying the page. The attack result is then viewable the next time that page is loaded for the user's browser.