OWASP Periodic Table of Vulnerabilities - SSI Injection

Return to Periodic Table Working View

Root Cause Summary
The root cause of server-side includes/injection is the application's failure to validate data before it is inserted into a server-side interpreted HTML file. Some Web servers allow entering dynamic code to static HTML pages making it possible for an attacker to send code to a web application that will get executed by the web server and possibly gain access to files or other exploits similiar to cross site scripting.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
Do not support SSI with dynamic file names.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
SSI Injection is sometimes called Server-side Include