Detailedlikelihood: Highseverity: HighDraft

CAPEC-101Server Side Include (SSI) Injection

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

Related weaknesses· 3

CWE-97CWE-74CWE-20

Related attack patterns· 2

CAPEC-253 (ChildOf)CAPEC-600 (CanPrecede)

Exploits3

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Server-Side Includes (SSI) Within a Web Pagecwe-97100%live
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-74100%live
WeaknessImproper Input Validationcwe-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
PHP Remote File Inclusion
CAPEC
Code Inclusion
CAPEC
Code Injection
CAPEC
Cross-Site Scripting (XSS)
CAPEC
PHP Local File Inclusion
CAPEC
XSS Through HTTP Query Strings
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.