Skip to main content

SSI (Server Side Include)and SSI Injection

 What is SSI?

It is a feature that allows developers to dynamically generate web content by using “#” directives without having to do it manually. The server searches for the SSI directives in the HTML code and executes them sequentially

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

For example, you might place a directive into an existing HTML page, such as:

syntax:: <!--#directive/command <parameter> -->

<!--#echo var="DATE_LOCAL" -->

And, when the page is served, this fragment will be evaluated and replaced with its value:

Tuesday, 15-Jan-2013 19:28:54 EST

Configuring your server to permit SSI

To permit SSI on your server, you must have the following directive either in your httpd.conf file, or in a .htaccess file:

Options +Includes

This tells Apache that you want to permit files to be parsed for SSI directives.

Not just any file is parsed for SSI directives. You have to tell Apache which files should be parsed. There are two ways to do this. You can tell Apache to parse any file with a particular file extension, such as .shtml, with the following directives:

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

SSI (Server Side Include) Injection

Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:

< ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extensions .stm, .shtm and .shtml.

However, the lack of these types of pages does not mean that the application is protected against SSI attacks.

HTML Comment Tag: <!--This is a comment -->

The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands.

Linux:

List files of directory:

<!--#exec cmd="ls" -->

Access directories:

<!--#exec cmd="cd /root/dir/">

printenv

This prints out a listing of all existing variables and their values.

<! — #printenv →>

The printenv element is available only in Apache 1.2 and above.

set

This sets the value of a variable.

varThe name of the variable to set.valueThe value to give a variable.

For example:

<! — #set var=”category” value=”help” →

refer: https://www.cheat-sheets.org/sites/ssi.su/

refer: https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection

refer: https://medium.com/@shatabda/security-ssi-injection-what-how-fbce1dc232b9

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Post a Comment
Read more

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Post a Comment
Read more

Making CHIP-8 emulator in C

  Chip8 doc link | Components | Opcode Table GitHub - AdithyakrishnaV/Chip8_Emulator--Interpreter Contribute to AdithyakrishnaV/Chip8_Emulator--Interpreter development by creating an account on GitHub. github.com CHIP-8 programs are binary files, and your emulator must read them and operate on the bytes. You will also need a way to draw graphics to the screen and read keypresses. Many graphical libraries can do this for you or use something like SDL directly. CHIP-8 components Display 64 pixels wide and 32 pixels tall. Each pixel is a boolean value, or a bit; can be on or off (“off” pixel was just black, and “on” was white). We’ll use SDL for rendering: SDL initialization Not initialize:- returns -1  Error message is stored in SDL_GetError Initializing SDL if (SDL_Init(SDL_INIT_VIDEO)!= 0 ){ printf ( "SDL not initialized,%s\n" , SDL_GetError); exit (- 1 ); } Initialize display SDL_Window * window = SDL_CreateWindow ( "chip8" , SDL_WINDOWPOS_CENTERED , SDL_...
Post a Comment
Read more