OWASP Periodic Table of Vulnerabilities - SSI Injection

From OWASP
Revision as of 21:32, 21 July 2013 by David Fern (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Contents

SSI Injection

Root Cause Summary

The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Do not support SSI with dynamic file names.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

SSI Injection is sometimes called Server-side Include

References

OWASP – Server-Side Includes (SSI) Injection

OWASP - Testing for SSI Injection (OWASP-DV-009)

WASC - SSI Injection

CAPEC 101: Server Side Include (SSI) Injection

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page