Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-36
SSI Injection
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.
Before serving an HTML web page, a web server may parse and execute Server-side Include statements before providing it to the client. In some cases (e.g. message boards, guest books, or content management systems), a web application will insert user-supplied data into the source of a web page.
If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served. This is performed at the permission level of the web server user.
Example
The following SSI tag can allow an attacker to get the root directory listing on a UNIX based system.
<!--#exec cmd="/bin/ls /" -->
The following SSI tag can allow an attacker to obtain database connection strings, or other sensitive data contained within a .NET configuration file.
<!--#INCLUDE VIRTUAL="/web.config"-->
Mitigation
Disable SSI execution on pages that do not require it. For pages requiring SSI ensure that you perform the following checks
- Only enable the SSI directives that are needed for this page and disable all others.
- HTML entity encode user supplied data before passing it to a page with SSI execution permissions.
- Use SUExec[5] to have the page execute as the owner of the file instead of the web server user.
References
"Server Side Includes (SSI)" - NCSA HTTPd
[1] http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html
"Security Tips for Server Configuration" - Apache HTTPD
[2] http://httpd.apache.org/docs/misc/security_tips.html#ssi
"Header Based Exploitation: Web Statistical Software Threats" - CGISecurity.com
[3] http://www.cgisecurity.net/papers/header-based-exploitation.txt
"A practical vulnerability analysis"
[4] http://hexagon.itgo.com/Notadetapa/a_practical_vulnerability_analys.htm
"Apache suEXEC Support"
[5] http://httpd.apache.org/docs/1.3/suexec.html http://httpd.apache.org/docs/2.0/suexec.html
"Apache Tutorial: Introduction to Server Side Includes"
[6] http://httpd.apache.org/docs/2.0/howto/ssi.html http://httpd.apache.org/docs/1.3/howto/ssi.html
"Testing for SSI Injection"
[7] http://www.owasp.org/index.php/Testing_for_SSI_Injection
Server Side Include (SSI) Injection
[8] http://capec.mitre.org/data/definitions/101.html
Comments (0)
You don't have permission to comment on this page.