- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
SSI injection (Server-side Include) is a server-side exploit that lets an attacker send code into an application to be executed later, locally, by the web server. SSI injection attacks can only be successful when the web server permits SSI execution without proper validation.
SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do this, the web server analyzes SSI before supplying the page to the user. SSI Injection exploits a web application’s failure to sanitize user-supplied data before inserting the data into a server-side interpreted HTML file.
With an SSI injection attack, the attacker can access sensitive information such as password files, and execute shell commands. The SSI directives are injected in input fields and sent to the web server. The web server parses and executes the directives before supplying the page. The attack result is then viewable the next time that page is loaded for the user's browser.
Any user-controlled input should be properly validated to prevent the insertion of dangerous characters that could be interpreted as part of an SSI directive.
Users should be prohibited from uploading HTML pages within the application where possible, as the contents of the page can be manipulated by the user to contain SSI statements. If user data must be dynamically loaded into HTML webpage elements, the data should be properly HTML-encoded before being rendered.
The presence of pages with .stm, .shtm and .shtml extensions within the application should be avoided, as these are often used to discover the potential of SSI attacks.