- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Glossary
SSI injection (Server-side Include) is a server-side exploit that lets an attacker send code into an application to be executed later, locally, by the web server. SSI injection attacks can only be successful when the web server permits SSI execution without proper validation.
SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do this, the web server analyzes SSI before supplying the page to the user. SSI Injection exploits a web application’s failure to sanitize user-supplied data before inserting the data into a server-side interpreted HTML file.
With an SSI injection attack, the attacker can access sensitive information such as password files, and execute shell commands. The SSI directives are injected in input fields and sent to the web server. The web server parses and executes the directives before supplying the page. The attack result is then viewable the next time that page is loaded for the user's browser.
An attacker could detect possible SSI functionality on the target server by searching for key file extensions (.stm, .shtm, shtml), or if there is a server misconfiguration such that they are able to fetch the .htaccess file located on a SSI-enabled directory. Although SSI attacks are more limited in scope compared to XSS (full scripting with Javascript) or SQL injection (database manipulation), they remain a high severity vulnerability if exploited since an attacker could be able to execute arbitrary shell commands or gain access to sensitive files (e.g. password files).
Any user-controlled input should be properly validated to prevent the insertion of dangerous characters that could be interpreted as part of an SSI directive.
Users should be prohibited from uploading HTML pages within the application where possible, as the contents of the page can be manipulated by the user to contain SSI statements. If user data must be dynamically loaded into HTML webpage elements, the data should be properly HTML-encoded before being rendered.
The presence of pages with .stm, .shtm and .shtml extensions within the application should be avoided, as these are often used to discover the potential of SSI attacks.