This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - SSI Injection

From OWASP
Jump to: navigation, search

Return to Periodic Table Working View

SSI Injection

Root Cause Summary

The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Do not support SSI with dynamic file names.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

SSI Injection is sometimes called Server-side Include

References

OWASP – Server-Side Includes (SSI) Injection

OWASP - Testing for SSI Injection (OWASP-DV-009)

WASC - SSI Injection

CAPEC 101: Server Side Include (SSI) Injection

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_SSI_Injection&oldid=155800"