This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SSI Injection"
David Fern (talk | contribs) (Created page with "Return to Periodic Table Working View === SSI Injection === == Root Cause Summary == The root ...") |
David Fern (talk | contribs) |
||
Line 5: | Line 5: | ||
== Root Cause Summary == | == Root Cause Summary == | ||
− | The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server | + | The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting. |
== Browser / Standards Solution == | == Browser / Standards Solution == |
Latest revision as of 02:32, 22 July 2013
Return to Periodic Table Working View
SSI Injection
Root Cause Summary
The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
Do not support SSI with dynamic file names.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
SSI Injection is sometimes called Server-side Include
References
OWASP – Server-Side Includes (SSI) Injection
OWASP - Testing for SSI Injection (OWASP-DV-009)
CAPEC 101: Server Side Include (SSI) Injection
CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page