logo

Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a web application dynamically generates pages but fails to properly sanitize user-supplied input that could be interpreted as server-side include (SSI) commands, allowing an attacker to inject malicious directives.

Extended Description

Server-Side Includes (SSI) are directives placed in HTML pages that are executed on the server before the page is sent to the user's browser. They are useful for including reusable content like headers or footers. However, if an application inserts user input directly into a page that gets parsed for SSI, an attacker can inject directives like `<!--#exec cmd="rm -rf /"-->` or `<!--#include virtual="/etc/passwd"-->` to execute commands, read sensitive files, or otherwise compromise the server. To prevent this, developers must treat all user input as untrusted and implement strict output encoding or validation specifically for SSI contexts. This involves either disabling SSI parsing on pages that handle user input, using a safe templating system that automatically escapes special characters, or employing a positive allowlist of permitted characters that explicitly excludes SSI directive syntax (like `<!--#` and `-->`). Regular input validation for SQL or XSS is not sufficient, as the attack targets a different parsing layer on the server.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (CWE-96)
Taxonomy Mapping
  • PLOVER
  • WASC
Notes
RelationshipThis can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.