Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Weakness ID: 97 (Weakness Base)Status: Draft
+ Description

Description Summary

The software fails to adequately filter server-side include (control-plane) syntax from user-controlled input (data plane) and then allows potentially injected server-side includes to be acted upon.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Potential Mitigations

Phase: Implementation

Utilize an appropriate mix of white-list and black-list parsing to filter server-side include syntax from all input.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base96Improper Sanitization of Directives in Statically Saved Code ('Static Code Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relationship Notes

This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERServer-Side Includes (SSI) Injection
WASC36SSI Injection
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
35Leverage Executable Code in Nonexecutable Files
101Server Side Include (SSI) Injection
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Relationship Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Server-Side Includes (SSI) Injection