Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SSI Injection"

From OWASP
Jump to: navigation, search
(Created page with "Return to Periodic Table Working View === SSI Injection === == Root Cause Summary == The root ...")
 
 
Line 5: Line 5:
 
== Root Cause Summary ==
 
== Root Cause Summary ==
  
The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server similar to cross site scripting.
+
The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.
  
 
== Browser / Standards Solution ==
 
== Browser / Standards Solution ==

Latest revision as of 21:32, 21 July 2013

Return to Periodic Table Working View

Contents

SSI Injection

Root Cause Summary

The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Do not support SSI with dynamic file names.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

SSI Injection is sometimes called Server-side Include

References

OWASP – Server-Side Includes (SSI) Injection

OWASP - Testing for SSI Injection (OWASP-DV-009)

WASC - SSI Injection

CAPEC 101: Server Side Include (SSI) Injection

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page