Input Validation / Server-Side Includes (SSI) injection
Server-Side Includes (SSI) Injection is a type of vulnerability that exists in Web and API applications. This vulnerability occurs when user-supplied data is not properly validated before being used in dynamic page generation, allowing attackers to inject malicious code into the page that is generated. According to the Common Weakness Enumeration (CWE) directory, the SSI Injection vulnerability is classified as CWE-98. The OWASP Testing Guide recommends using automated tools to scan for SSI Injection vulnerabilities.
SSI Injection poses a significant risk to an organization, as an attacker can use this vulnerability to gain access to sensitive systems or data. In addition, an attacker can use this vulnerability to deface a website or to inject malicious code that can be used to gain control of the server.
To prevent SSI Injection vulnerabilities, organizations should ensure that their input validation processes are robust. This can be done by using a whitelisting approach to validate user-supplied input, and by escaping special characters before the input is used in dynamic page generation.
The following example is taken from CVE-2020-14583. In this example, an attacker can inject malicious code into the page by passing a malicious input (
<!--#exec cmd="command"-->) that is not properly sanitized.
<html> <body> <h1>Hello World!</h1> <!--#exec cmd="command"--> </body> </html>