Highly accurate Information Security Testing

All You Need To Know About Server Side Includes

The digital infrastructure we have recently is getting more complex as the day goes by, and servers play an important role in this infrastructure. Servers are the pillars and backbones of present-day computing and are an integral part of any data center. They perform several functions in different aspects, including acting as web servers dedicated to hosting applications and websites and specialized email servers that facilitate mail delivery. 


Servers store very sensitive data, and they provide valuable resources. This often exposes servers to several attacks. A particular type of server that is vulnerable to targeted attacks is the web server. 

Web servers are the types of servers in charge of hosting websites and web applications. The fact that the web servers store sensitive data and they provide valuable information or resources makes them the target of attacks. 

A certain attack that is brutal and can be devastating to the web servers is the server-side include attack. 


You might be wondering what the server-side include attack is, how it works, and how you can protect your web server from it. Continue reading this article to find answers to these questions. 


What Is a Server Side Include?


Server-side includes (SSIs) are a way to add unique and dynamic content to your website. They can be used with other forms of technologies like PHP or Ruby on Rails, and they can still work independently. 


The technology is quite simple: when an SSI tag is added to your page’s code, it informs the server to generate information from a different file and input it into the current file like it is just another part of the page. 

By doing this, you do not have to repeatedly write out the same information for every page on your site. You only need to write it once in the .shtml file and include it wherever you want the contents to show on your page. 

This is how it works – in theory, though. However, you need to know some things about SSIs. If you know what these things are will help you maximize the functions of SSIs. 


Server Side Include – How It Works


 Be assured that there is no magic involved. There is nothing different about the SSI file besides how your server references it. When a file is added to your site, it will be stored on your server in a directory. When you want to reference the file with an SSI link, the server will look for all the relevant files in the same directory where it found the .html or .shtml file that calls for them. This means that if your SSI file is called “foo.shtml” and the main site page is named ïndex.HTML”, ensure that you save them in the same folder.

Once it locates all these files, it will combine them on a page and send them back to you. This is how you get dynamic and unique content on your page without the need to write code. 


However, the problem that this can pose is the Server-Side included (SSI) Injection.


In the coding and web development field, many things can go wrong while building a site. However, the SErver-Side Includes (SSI) Injection is the most common problem. 

This problem is quite common, and if you do not know how to fix it, it can cause damage to your site leading to security breaches. 

This is why SSI Injection is something that you should know how to handle. The remaining aspect of this article will discuss SSI Injection and how you can handle an SSI Injection attack. 


SSI Injection- What it Entails


SSI Injection is done when an attack is launched on your site, and someone breaks into your site and injects their own code into the file the server is processing. This can cause different kinds of issues, particularly when they can access data and some sensitive information. Another issue that can occur is if they can erase some files or databases. 


How to Guard Against SSI Injection Attack


Now that we have discussed the SSI Injection attack, it is important to be able to prevent It or combat the attack when it is launched. 

Here are four ways by which you can defend your server against an SSI injection attack. 


1. Filtering what goes into the server


One common way to bypass security measures is by tweaking input values. The best way to guard against this is to ensure that you have a system in place that will filter the data provided by users before the site’s server can process it. 


2. Make use of escape characters


Another way by which you can guard against SSI Injections attack is by making use of escape characters. 

Escape characters are special characters that help to program the server in a way that it knows that what should come after them should be interpreted literal string of text and not HTML.

Ampersand (&) is a very common escape character, and it is used to inform a server that whatever comes after the character should be treated as a literal string of text, not HTML.

To use an ampersand in your code, you must use & as the escape character. 


3. Do not use server-side includes 


The best way to defend your server against Server Side Include Injection Attack is to not use the Server Side Include Itself. 


This might seem strange, but it is true. 


Although Server Side Includes is the most popular way to have unique content on your web pages, they make your website vulnerable. An attacker can easily access your .shtml files and inject destructive codes into them. 


This is more dangerous if you are using other languages like PHP to generate dynamic content as they are more vulnerable to injection attacks than the HTML- which is also pretty vulnerable


4. Do not SSI pages and mix user inputs


Although you must understand how SSI Injection works, do not forget that the best way to guard your web application against SSI injection attacks is not to mix SSI pages with user inputs. This means you should not use user data on an SSI page. 


Even when you are using a safe input filter like the ones provided by PHP, an attacker can trick your application into running malicious codes. An example is when an attacker can submit a URL containing things like “../ ../ ../etc/passwd” as a file name. 

This can make your application run a program named passwd (since the etc. directory has a program titled passwd) instead of showing the file’s content. 


Final Thought


With these tips, you have gained some things that can help you guard against SSI Injection attacks and make your applications and server more secure.

If you have any questions, feel free to drop us a line so we can answer them!