nerdexam
EC-Council

312-50V13 · Question #428

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in t

The correct answer is D. Server-side includes injection. Calvin's web application is susceptible to Server-Side Includes (SSI) injection, as it improperly processes user-supplied input containing SSI directives, allowing attackers to execute commands or manipulate server files.

Submitted by stefanr· Mar 6, 2026Hacking Web Applications

Question

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files. What is the type of injection attack Calvin's web application is susceptible to?

Options

  • AServer-side template injection
  • BServer-side JS injection
  • CCRLF injection
  • DServer-side includes injection

How the community answered

(13 responses)
  • B
    8% (1)
  • D
    92% (12)

Why each option

Calvin's web application is susceptible to Server-Side Includes (SSI) injection, as it improperly processes user-supplied input containing SSI directives, allowing attackers to execute commands or manipulate server files.

AServer-side template injection

Server-side template injection involves injecting malicious code into server-side template engines (like Jinja, Twig), which is different from direct SSI processing.

BServer-side JS injection

Server-side JS injection implies JavaScript being executed on the server, typically through Node.js applications, which is not directly related to SSI directives.

CCRLF injection

CRLF injection involves injecting carriage return and line feed characters into HTTP responses or log files to manipulate their structure, which is a different vulnerability type.

DServer-side includes injectionCorrect

Server-Side Includes (SSI) injection occurs when an application concatenates user-supplied input directly into an HTML page that is parsed for SSI directives without proper sanitization, allowing an attacker to embed malicious SSI commands which the web server then executes. These commands can perform actions like listing directories, executing system commands, or accessing server-side variables, thus enabling unauthorized access or data manipulation.

Concept tested: Server-Side Includes (SSI) injection

Source: https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection

Topics

#Server-Side Includes injection#SSI injection#web application vulnerabilities

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice