CAPEC-101: Server Side Include (SSI) Injection

Description
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

Severity :

High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-253: Remote Code Inclusion Remote Code Inclusion CAPEC-600: Credential Stuffing Credential Stuffing
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • A web server that supports server side includes and has them enabled
  • User controllable input that can carry include directives to the web server
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

WASC | SSI Injection OWASP Attacks | Server-Side Includes (SSI) Injection
Resources required

None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-20: Improper Input Validation

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Visit http://capec.mitre.org/ for more details.