CAPEC-101: Server Side Include (SSI) Injection

Server Side Include (SSI) Injection


Typical_Severify: High



An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.


ChildOf: CAPEC-253 |Remote Code Inclusion

Execution Flow Attack Setp

Setp 1 Explore

[Determine applicability] The attacker determines whether server side includes are enabled on the target web server.

Setp 2 Explore

[Attempt SSI] Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.

Setp 3 Explore

[Inject SSI] The attacker may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the attacker


A web server that supports server side includes and has them enabled

User controllable input that can carry include directives to the web server


Level Medium

The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.


None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier.


Scope Impact Likelihood
C o n f i d e n t i a l i t y Read Data
Confidentiality Integrity Availability Execute Unauthorized Commands


Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them

All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive

Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead


Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled.

Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.

When these logs are eventually reviewed, the server parses the SSI directives and executes them.


97 | Web页面中服务端引用(SSI)转义处理不恰当

74 | 输出中的特殊元素转义处理不恰当(注入)

20 | 输入验证不恰当

713 | OWASP Top Ten 2007 A2目录 - 注入缺陷



2014-06-23 | CAPEC Content Team | The MITRE Corporation


2017-08-04 | CAPEC Content Team | The MITRE Corporation

Updated Resources_Required

2018-07-31 | CAPEC Content Team | The MITRE Corporation

Updated Attack_Phases