Description

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

Attack Execution Flow

3

1

Step 1

Explore

[Determine applicability] The adversary determines whether server side includes are enabled on the target web server.
Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.
Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.

Attack Techniques

Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.
Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.
IT: Recupera il file .htaccess. Nelle installazioni di Apache web server, il file .htaccess può abilitare gli include lato server in posizioni specifiche. In questi casi, il file .htaccess si trova all’interno della directory in cui gli SSI sono abilitati e, teoricamente, può essere recuperato dal server web. Sebbene la maggior parte dei server web neghi il recupero del file .htaccess, un server mal configurato lo consente. Pertanto, un attaccante tenterà frequentemente di farlo.

2

Step 2

Experiment

[Find Injection Point] Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Attack Techniques

Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
IT: Utilizza uno strumento proxy per registrare tutti i link visitati durante una navigazione manuale dell'applicazione web. Prendi nota in modo particolare di eventuali link che includono parametri nell'URL. La navigazione manuale di questo tipo è spesso necessaria per identificare moduli che utilizzano il metodo GET anziché POST.

3

Step 3

Exploit

[Inject SSI] Using the found injection point, the adversary sends arbitrary code to be inlcuded by the application on the server side. They may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the adversary.

CAPEC 101 Server Side Include (SSI) Injection

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Mitigations

All User Controllable Input Must Be Appropriately Sanitized Before Use In The Application. This Includes Omitting, Or Encoding, Certain Characters Or Strings That Have The Potential Of Being Interpreted As Part Of An Ssi Directive

Server Side Includes Must Be Enabled Only If There Is A Strong Business Reason To Do So. Every Additional Component Enabled On The Web Server Increases The Attack Surface As Well As Administrative Overhead

Set The Options Includesnoexec In The Global Access.Conf File Or Local .Htaccess (Apache) File To Deny Ssi Execution In Directories That Do Not Need Them

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Resources Required

CAPEC 101 Server Side Include (SSI) Injection

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Mitigations

All User Controllable Input Must Be Appropriately Sanitized Before Use In The Application. This Includes Omitting, Or Encoding, Certain Characters Or Strings That Have The Potential Of Being Interpreted As Part Of An Ssi Directive

Server Side Includes Must Be Enabled Only If There Is A Strong Business Reason To Do So. Every Additional Component Enabled On The Web Server Increases The Attack Surface As Well As Administrative Overhead

Set The Options Includesnoexec In The Global Access.Conf File Or Local .Htaccess (Apache) File To Deny Ssi Execution In Directories That Do Not Need Them

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Resources Required

Iscriviti alla newsletter