SSI INJECTION

Server-Side Includes (SSI) is a technology web applications use to create dynamic content on HTML pages. The use of SSI can often be inferred from the file extension .shtml, .shtm, and .stm. SSI utilizes directives to add dynamically generated content to a static HTML page. SSI injection occurs when an attacker can inject SSI directives into a file that is subsequently served by the web server, resulting in the execution of the injected SSI directives.

• Example use cases:

  • when the web application contains a vulnerable file upload vulnerability that enables an attacker to upload a file containing malicious SSI directives into the web root directory.

  • attackers might be able to inject SSI directives if a web application writes user input to a file in the web root directory.

• Directives

  • name: the directive's name

  • parameter name: one or more parameters

  • value: one or more parameter values

• Syntax

<!--#name param1="value1" param2="value" -->

• Common Directives

#the printenv directive prints environment variables. It does not take any variables
<!--#printenv -->

#the config directive changes the SSI configuration by specifying corresponding parameters; e.g., it can be used to change the error message using the errmsg parameter:
<!--#config errmsg="Error!" -->

#the echo directive prints the value of any variable given in the var parameter. Multiple variables can be printed by specifying multiple var parameters
<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->
 * DOCUMENT_NAME: the current file's name
 * DOCUMENT_URI: the current file's URI
 * LAST_MODIFIED: timestamp of the last modification of the current file
 * DATE_LOCAL: local server time
 
#the exec directive executes the command given in the cmd parameter
<!--#exec cmd="whoami" -->

#the include directive includes the file specified in the virtual parameter. It only allows for the inclusion of files in the web root directory
<!--#include virtual="index.html" -->

MITIGATION

• validate and sanitize user input

• configure the webserver to restrict the use of SSI to particular file extensions and potentially even particular directories

• turn off specific directives if its not actively required