CAPEC-101: Server Side Include (SSI) Injection
Description
Severity :
High
Possibility :
High
Type :
Detailed
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- A web server that supports server side includes and has them enabled
- User controllable input that can carry include directives to the web server
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- Medium The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Resources required
None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
Visit http://capec.mitre.org/ for more details.