What is SSI in simple terms?
Server-Side Includes (SSI) is a mechanism by which the web server processes special comments in HTML before the page is sent to the user.
That is:
The browser doesn't see SSI
SSI is executed on the server side.
The execution result is inserted directly into HTML
Essentially, it is a very primitive server-side templating engine that appeared long before PHP, JSP, etc.
Why SSI is dangerous
If:
And user input goes to a file that is processed by SSI
then the server will execute what was put there;
This is already:
reading server information
sometimes - command execution
File extensions (.shtml - NOT a guarantee)
SSI is typically included for:
But this is not a rule;
Admin can enable SSI:
That's why:
SSI cannot be determined by extension alone
needs to be checked by behavior
SSI looks like an HTML comment, but with a #:
Why is this important:
The browser ignores a regular HTML comment
The server interprets the SSI comment
Basic Directives
displays server environment variables;
Practical benefits:
sometimes - sensitive variables
Often used as a first test, if it works, SSI is definitely enabled.
What it does:
changes the SSI configuration
most often used indirectly
Practice:
rarely used in direct attacks
Prints server variables;
Useful variables:
DOCUMENT_NAME - file name
DATE_LOCAL β server time
Used:
inserts a file from the web root;
Restrictions:
You can't go beyond the web root
executes a command on the server;
This:
executed by the web server user (www-data, apache, iis)
Here you can see example requests:
References & More About SSI Injection
