Server-Side Includes (SSI) are directives present on web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. To do so, the web server analyzes SSI before supplying the page to the user.
The Server-Side Includes Injection (SSI Injection) attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.
In a successful Server-Side Includes Injection attack, the threat actor can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields, and sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time the page is loaded for the user’s browser.