> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/ssi-server-side-include.md). # SSI (Server Side include) *** Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages. Server-Side Includes are directives that the web server parses before serving the page to the user. They represent an alternative to writing CGI programs or embedding code using server-side scripting languages Common SSI implementations provide directives **(commands)** to include external files, to set and print web server CGI environment variables, or to execute external **CGI scripts or system commands**. SSI can lead to a *Remote Command Execution (RCE),* however most webservers have the `exec` directive disabled by default. ## FingerPrinting You can verify that SSI directives are enabled is by checking for pages with the `.shtml` extension, which is associated with SSI directives. The use of the `.shtml` extension is not mandatory, so not having found any `.shtml` files doesn’t necessarily mean that the target is not vulnerable to SSI injection attacks. * Possible input vectors may also include headers and cookies ## Testing #### Include directive ```txt ``` #### echo directive ```txt ``` #### exec directive ```txt ``` The SSI directives can also be injected in the HTTP headers, if the web application is using that data to build a dynamically generated page: ```txt GET / HTTP/1.1 Host: www.example.com Referer: User-Agent: ``` ## References * [Nginx SSI module](https://nginx.org/en/docs/http/ngx_http_ssi_module.html) * [Apache: Module mod\_include](https://httpd.apache.org/docs/current/mod/mod_include.html) * [IIS: Server Side Includes directives](https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525185%28v=vs.90%29) * [Apache Tutorial: Introduction to Server Side Includes](https://httpd.apache.org/docs/current/howto/ssi.html) * [Apache: Security Tips for Server Configuration](https://httpd.apache.org/docs/current/misc/security_tips.html#ssi) * [SSI Injection instead of JavaScript Malware](https://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html) * [IIS: Notes on Server-Side Includes (SSI) syntax](https://blogs.iis.net/robert_mcmurray/archive/2010/12/28/iis-notes-on-server-side-includes-ssi-syntax-kb-203064-revisited.aspx) * [Header Based Exploitation](https://www.cgisecurity.com/papers/header-based-exploitation.txt) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/ssi-server-side-include.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.