SSI Injection

Overview of the attack

Server-Side Includes (SSIs) are commands processed by the web server prior to the containing web page being sent to the user. In SSI injection attacks an attacker manipulates SSIs contained within the web page. The attacks potentially give the attacker full control over the web server.

What makes a site vulnerable?

A site may be vulnerable to SSI injection in two ways. It may be vulnerable if the website uses user-input in parameters to the SSI. By modifying the parameters in unexpected ways, the attacker may be able to execute SSIs never intended by the site developers. Alternatively, it may be vulnerable if the website uses user-input in the construction of a page which is later interpreted for SSIs (such pages will also be vulnerable to XSS). Even if the site isn’t using SSIs the attacker may be able to insert full SSIs.

Impact of the attacks

Server-side include injections can have a very significant impact. One feature of SSIs is that they allow commands to be run on the underlying operating system. This can be used to take control of the web server. The attacker could, for instance, easily upload a web-based shell script and then remotely control the server via this script. In doing so, the attacker could make arbitrary changes to, or completely destroy, the website.

Example of the attack

List Files:

<!--#exec cmd="ls" -->

Preventing the attack

SSI injections can be prevented in several ways. First of all, SSI execution should be disabled if SSI functionality is not required. If SSIs are used, any user-input in their construction should be carefully vetted to ensure any malicious input is rejected. If user-input is used in the construction of the web-page itself, then that input should be filtered (ideally against a white-list) to remove any server-side includes contained within it, or HTML encoded to prevent the user input from being treated as SSIs.