Input Validation / Server-Side Includes (SSI) injection

Description

Server-Side Includes (SSI) Injection is a type of vulnerability that exists in Web and API applications. This vulnerability occurs when user-supplied data is not properly validated before being used in dynamic page generation, allowing attackers to inject malicious code into the page that is generated. According to the Common Weakness Enumeration (CWE) directory, the SSI Injection vulnerability is classified as CWE-98. The OWASP Testing Guide recommends using automated tools to scan for SSI Injection vulnerabilities.

Risk

SSI Injection poses a significant risk to an organization, as an attacker can use this vulnerability to gain access to sensitive systems or data. In addition, an attacker can use this vulnerability to deface a website or to inject malicious code that can be used to gain control of the server.

Solution

To prevent SSI Injection vulnerabilities, organizations should ensure that their input validation processes are robust. This can be done by using a whitelisting approach to validate user-supplied input, and by escaping special characters before the input is used in dynamic page generation.