An attacker can use Server Side Include (SSI) Injection to send code to a
web application that then gets executed by the web server. Doing so enables
the attacker to achieve similar results to Cross Site Scripting, viz.,
arbitrary code execution and information disclosure, albeit on a more
limited scale, since the SSI directives are nowhere near as powerful as a
full-fledged scripting language. Nonetheless, the attacker can conveniently
gain access to sensitive files, such as password files, and execute shell
commands.
Attack Execution Flow
Explore
Determine
applicability:
The attacker determines whether server side
includes are enabled on the target web
server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Look for popular page file names. The
attacker will look for .shtml, .shtm, .asp, .aspx,
and other well known strings in URLs to help
determine whether SSI functionality is
enabled.
env-Web
2
Fetch .htaccess file. In Apache web server
installations, the .htaccess file may enable
server side includes in specific locations. In
those cases, the .htaccess file lives inside the
directory where SSI is enabled, and is
theoretically fetchable from the web server.
Although most web servers deny fetching the
.htaccess file, a misconfigured server will allow
it. Thus, an attacker will frequently try
it.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
If .htaccess files are used, their contents
should be checked for "Options Includes" or
"Options IncludesNOEXEC".
env-Web
2
Positive
If apache is used, the contents of the
httpd.conf file and similar configuration files
should be checked for "Options Includes" or
"Options IncludesNOEXEC".
env-Web
3
Positive
IIS configurations contain server-side
include compatibility.
env-Web
4
Inconclusive
Web pages that include mundane, but dynamic
information (like the current date, a file's size,
or some other data that SSI can produce) might be
producing that content through SSI.
env-Web
Security Controls
ID
Type
Security Control Description
1
Preventative
Adding "AllowOverrides
none" to the main httpd.conf file on an server
(and the similar restrictions in other application
servers) can prevent unexpected loosening of SSI
functionality, even by internal
developers.
Attempt SSI:
Look for user controllable input, including HTTP
headers, that can carry server side include
directives to the web server
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links. Make special note of any links that
include parameters in the URL.
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of the web application.
Make special note of any links that include
parameters in the URL. Manual traversal of this
type is frequently necessary to identify forms
that are GET method forms rather than POST
forms.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
URL parameters are used.
env-Web
2
Inconclusive
No parameters appear on the URL. Even though
none appear, the web application may still use
them if they are provided.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A list of URLs, with their
corresponding parameters is created by the
attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Inject SSI:
The attacker may then need to view a particular
page in order to have the server execute the include
directive and run a command or open a file on behalf
of the attacker
Outcomes
ID
Type
Outcome Description
1
Success
The attacker views data
(perhaps from a file) that he normally should not
see.
2
Success
The attacker executes a command
on the server, or influences the arguments to a
command executed via SSI on the
server.
Attack Prerequisites
A web server that supports server side includes and has them
enabled
User controllable input that can carry include directives to the web
server
Typical Likelihood of Exploit
Likelihood: Very High
It is fairly easy to determine whether server-side includes are permitted
on the target server. An attacker can potentially glean a lot of information
if SSI Injection were found to be possible.
Methods of Attack
Injection
Protocol Manipulation
Examples-Instances
Description
Consider a website hosted on a server that permits Server Side
Includes (SSI), such as Apache with the "Options Includes" directive
enabled.
Whenever an error occurs, the HTTP Headers along with the entire
request are logged, which can then be displayed on a page that allows
review of such errors. A malicious user can inject SSI directives in the
HTTP Headers of a request designed to create an error.
When these logs are eventually reviewed, the server parses the SSI
directives and executes them.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to be aware of SSI technology, determine the nature
of injection and be able to craft input that results in the SSI
directives being executed.
Resources Required
None: Determining whether the server supports SSI does not require special
tools, and nor does injecting directives that get executed.
Probing Techniques
Description
The attacker can probe for enabled SSI by injecting content that can
be interpreted as SSI directives and viewing the page output
Solutions and Mitigations
Set the OPTIONS IncludesNOEXEC in the global access.conf file or local
.htaccess (Apache) file to deny SSI execution in directories that do not
need them
All user controllable input must be appropriately sanitized before use in
the application. This includes omitting, or encoding, certain characters or
strings that have the potential of being interpreted as part of an SSI
directive
Server Side Includes must be enabled only if there is a strong business
reason to do so. Every additional component enabled on the web server
increases the attack surface as well as administrative overhead
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Read application
data
Read files or
directories
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Injection Vector
User controllable input
Payload
SSI directives that can cause disclosure of file contents or execution of
commands
Activation Zone
The web server that parses and executes SSI directives before rendering the
HTML page
Payload Activation Impact
Description
The SSI directives cause the inclusion of certain file's contents or the
execution of a shell command, as directed by the attacker
Description
