Home > CAPEC List > CAPEC-101: Server Side Include (SSI) Injection (Version 2.11)  

CAPEC-101: Server Side Include (SSI) Injection

 
Server Side Include (SSI) Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 101
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

+ Attack Steps
Explore
  1. Determine applicability: The attacker determines whether server side includes are enabled on the target web server.

    Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.

    Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.

  2. Attempt SSI: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

  3. Inject SSI: The attacker may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the attacker

+ Attack Prerequisites
  • A web server that supports server side includes and has them enabled

  • User controllable input that can carry include directives to the web server

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Very High

It is fairly easy to determine whether server-side includes are permitted on the target server. An attacker can potentially glean a lot of information if SSI Injection were found to be possible.

+ Methods of Attack
  • Injection
  • Protocol Manipulation
+ Examples-Instances

Description

Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled.

Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.

When these logs are eventually reviewed, the server parses the SSI directives and executes them.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.

+ Resources Required

None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier.

+ Probing Techniques

The attacker can probe for enabled SSI by injecting content that can be interpreted as SSI directives and viewing the page output

+ Solutions and Mitigations

Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them

All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive

Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Read files or directories
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
+ Injection Vector

User controllable input

+ Payload

SSI directives that can cause disclosure of file contents or execution of commands

+ Activation Zone

The web server that parses and executes SSI directives before rendering the HTML page

+ Payload Activation Impact

The SSI directives cause the inclusion of certain file's contents or the execution of a shell command, as directed by the attacker

+ Purposes
  • Penetration
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
All
PHP
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017