This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - SSI Injection

Revision as of 02:32, 22 July 2013 by David Fern (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

SSI Injection

Root Cause Summary

The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

Do not support SSI with dynamic file names.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

SSI Injection is sometimes called Server-side Include


OWASP – Server-Side Includes (SSI) Injection

OWASP - Testing for SSI Injection (OWASP-DV-009)

WASC - SSI Injection

CAPEC 101: Server Side Include (SSI) Injection

CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page