CWE

Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

ID: 97		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

The software generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation

Related Attack Patterns

• CAPEC-101
• CAPEC-35

Common Consequences

Scope	Technical Impact	Notes
Confidentiality Integrity Availability	Execute unauthorized code or commands

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		Utilize an appropriate mix of white-list and black-list parsing to filter server-side include syntax from all input.

Relationships
This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.

Related CWE	Type	View	Chain
CWE-97 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Server-Side Includes (SSI) Injection
WASC	36	SSI Injection

References:
None