1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Server-Side Inclusion Injection
Searching...

How to remediate – Server-Side Inclusion Injection

Contents

1. Introduction

Server-Side Inclusion Injection is a web security vulnerability that allows an attacker to inject malicious code into a server’s response by including unsafe user-controlled data in Server-Side Include (SSI) directives. This can lead to remote code execution on the affected server, compromising confidentiality, integrity and availability of the system. Web applications using SSI without proper input validation are typically affected. A successful exploit could allow an attacker to fully control the web server.

2. Technical Explanation

A Server-Side Inclusion Injection vulnerability occurs when a web application uses user-supplied data directly within SSI directives without sanitisation. This allows attackers to inject arbitrary code that is then executed by the server. The attacker needs to be able to control part of the request that ends up in an SSI directive. Common Web Application Firewalls (WAFs) may not detect this type of attack if it’s crafted carefully.

  • Root cause: Missing or insufficient input validation on user-supplied data used within SSI directives.
  • Exploit mechanism: An attacker crafts a malicious payload containing SSI code and injects it into an application parameter that is included in an SSI directive. The server then executes the injected code. For example, injecting <!--#exec cmd="ls -la" --> could list directory contents.
  • Scope: Web servers using SSI directives with vulnerable applications are affected. Specific versions depend on application frameworks and configurations.

3. Detection and Assessment

Confirming a vulnerability requires checking for unsafe use of user input in SSI contexts. A quick check involves examining the application’s source code or configuration files for direct inclusion of user-supplied data within SSI directives. Thorough assessment can be done through dynamic testing.

  • Quick checks: Review web server configurations (e.g., Apache’s httpd.conf) for enabled SSI and any related user input handling.
  • Scanning: Burp Suite or OWASP ZAP can be used to identify potential injection points by fuzzing inputs that are likely to be processed as SSI directives. These tools may require custom rules.
  • Logs and evidence: Examine web server access logs for unusual requests containing SSI syntax (e.g., or ). Look for errors related to SSI processing.
grep -i '

Related Articles