• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

SSI Injection

Page history last edited by Robert Auger 10 years, 9 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-36

 

SSI Injection

SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

Before serving an HTML web page, a web server may parse and execute Server-side Include statements before providing it to the client. In some cases (e.g. message boards, guest books, or content management systems), a web application will insert user-supplied data into the source of a web page.

If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served. This is performed at the permission level of the web server user.

 

Example

The following SSI tag can allow an attacker to get the root directory listing on a UNIX based system.

 

<!--#exec cmd="/bin/ls /" -->

 

The following SSI tag can allow an attacker to obtain database connection strings, or other sensitive data contained within a .NET configuration file.

 

<!--#INCLUDE VIRTUAL="/web.config"-->

 

Mitigation

Disable SSI execution on pages that do not require it. For pages requiring SSI ensure that you perform the following checks

- Only enable the SSI directives that are needed for this page and disable all others.

- HTML entity encode user supplied data before passing it to a page with SSI execution permissions.

- Use SUExec[5] to have the page execute as the owner of the file instead of the web server user.

 

References

"Server Side Includes (SSI)" - NCSA HTTPd

[1] http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html

 

"Security Tips for Server Configuration" - Apache HTTPD

[2] http://httpd.apache.org/docs/misc/security_tips.html#ssi

 

"Header Based Exploitation: Web Statistical Software Threats" - CGISecurity.com

[3] http://www.cgisecurity.net/papers/header-based-exploitation.txt

 

"A practical vulnerability analysis"

[4] http://hexagon.itgo.com/Notadetapa/a_practical_vulnerability_analys.htm

 

"Apache suEXEC Support"

[5] http://httpd.apache.org/docs/1.3/suexec.html http://httpd.apache.org/docs/2.0/suexec.html

 

"Apache Tutorial: Introduction to Server Side Includes"

[6] http://httpd.apache.org/docs/2.0/howto/ssi.html http://httpd.apache.org/docs/1.3/howto/ssi.html

 

"Testing for SSI Injection"

[7] http://www.owasp.org/index.php/Testing_for_SSI_Injection

 

Server Side Include (SSI) Injection

[8] http://capec.mitre.org/data/definitions/101.html

Comments (0)

You don't have permission to comment on this page.