Blog

Upcoming Webinar

On-Demand Webinar

On-Demand Webinar

Blog

2021-05-04

Server-Side Includes(SSI) Injection

Server-Side Includes(SSI) Injection

Overview of Server-Side Includes(SSI) Injection

Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is provided by Server-Side Includes(SSI), which are directives that the web server parses before serving the page to the user.SSI can lead to a Remote Command Execution (RCE), however most webservers have the exec directive disabled by default. This is a vulnerability very similar to a classical scripting language injection vulnerability. OWASP SSI Injection

References

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html

Request Access to Use Case Repository

Tags

Initial Access

Splunk

Chat with our team to receive a free maturity assessment

You May Also Like

Anvilogic Names Omer Singer Vice President of Strategy, Former Snowflake Head of Cybersecurity Strategy

Forge Charged News: The Most Electrifying News From October 2023

Ready to learn more about Anvilogic?

Kickstart your security operations

Contact Sales Request Demo

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.

Lucas Moody

CISO, formerly Twitter

Contact Sales Request Demo

On-Demand Webinar

Server-Side Includes(SSI) Injection

Server

On-Demand Webinar

Server-Side Includes(SSI) Injection

Detection Strategies

Overview of Server-Side Includes(SSI) Injection

Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is provided by Server-Side Includes(SSI), which are directives that the web server parses before serving the page to the user.SSI can lead to a Remote Command Execution (RCE), however most webservers have the exec directive disabled by default. This is a vulnerability very similar to a classical scripting language injection vulnerability. OWASP SSI Injection

References

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html

Request Access to Use Case Repository

Tags

Initial Access

Splunk

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series

Leave Your Data Where You Want: Detect Across Snowflake

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

White Paper

Server-Side Includes(SSI) Injection

Server

May 4, 2021

Server-Side Includes(SSI) Injection

Server

Overview of Server-Side Includes(SSI) Injection

Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. This feature is provided by Server-Side Includes(SSI), which are directives that the web server parses before serving the page to the user.SSI can lead to a Remote Command Execution (RCE), however most webservers have the exec directive disabled by default. This is a vulnerability very similar to a classical scripting language injection vulnerability. OWASP SSI Injection

References

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html

Request Access to Use Case Repository

Tags

Initial Access

Splunk

Scale Detection Engineering And Threat Hunting Across All Of Your Data Lakes And Security Tools.

Scale Detection Engineering And Threat Hunting Across All Of Your Data Lakes And Security Tools.