Server-Side Includes (SSI) Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 CAPEC-101 CWE-97 WASC- 31 WSTG-INPV-08

SSIs are directives present on the Web applications. These directories are used to feed an HTML page with dynamic page contents. The SSIs are used to execute some actions before a page is loaded and while the page is being visualised. For performing this action, the web server analyses the SSI before showing the page to the user. There are many web server that permits SSI execution without any proper validation. This vulnerability can lead to an attacker accessing and manipulating the file system of the server. The attacker can then process under the permission of the web server’s administrator to completely exploit the system.


The below code is an example of SSI injection

        <!--#exec cmd="ls" -->



  • Reading, updating and deleting arbitrary data/tables from the database
  • Executing commands on the underlying operating system

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Disable SSI execution on pages that do not require it.
  • Pages requiring SSI, only enable the SSI directives that are needed for this page and disable all others.
  • Encode user supplied data before passing it to a page with SSI execution permissions.
  • Use SUExec[5] to have the page execute as the owner of the file instead of the web server user.

Latest Articles