Skip to content

Server Side Inclusion

Server Side Inclusion


Server-Side Include (SSI) injection vulnerabilities occur when an application incorporates user-controllable data into a response that is subsequently parsed for Server-Side Include directives. If the provided user input is not strictly validated, malicious actors can manipulate or insert directives to execute malicious code.

Exploiting SSI injection vulnerabilities often enables the injection of arbitrary content, such as JavaScript, into the application's response, presenting similar risks as cross-site scripting (XSS). Depending on the server's configuration, the vulnerability may also allow to access protected files or execute arbitrary system commands on the server.

SSI injection can have multiple injection points such as post forms, http headers, cookies..

  • Code Execution:
GET / HTTP/1.1
Host: localhost
Referer: <!--#exec cmd="/bin/ls"-->
  • File inclusion:
POST /contact HTTP/1.1
Host: localhost

body=<!--#include virtual="/proc/version"-->


To mitigate the risk of server-side include injection vulnerabilities, consider the following recommendations:

  • Disable SSI: if not needed, disabling SSI is the bulletproof recommendation to mitigate the risk of SSI injection, restricting SSI to a limited number of pages would also help mitigate some of the risks.

  • Input Validation and Sanitization: Sanitize and/or encode user supplied input (notably HTML special characters like <>) before passing it to a page with SSI execution permissions.

  • Use suEXEC: Use suEXEC to restrict the permissions of the user running SSI directives.

<!--#if expr="$user_input =~ /^[a-zA-Z0-9_\-]+$/i" -->
   <!--#include virtual="/web/$user_input" -->
<!--#else -->
   Invalid input!
<!--#endif -->


  • GDPR:
    • ART_5
    • ART_32
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3