312-50V13 · Question #428
Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in t
The correct answer is D. Server-side includes injection. Calvin's web application is susceptible to Server-Side Includes (SSI) injection, as it improperly processes user-supplied input containing SSI directives, allowing attackers to execute commands or manipulate server files.
Question
Options
- AServer-side template injection
- BServer-side JS injection
- CCRLF injection
- DServer-side includes injection
How the community answered
(13 responses)- B8% (1)
- D92% (12)
Why each option
Calvin's web application is susceptible to Server-Side Includes (SSI) injection, as it improperly processes user-supplied input containing SSI directives, allowing attackers to execute commands or manipulate server files.
Server-side template injection involves injecting malicious code into server-side template engines (like Jinja, Twig), which is different from direct SSI processing.
Server-side JS injection implies JavaScript being executed on the server, typically through Node.js applications, which is not directly related to SSI directives.
CRLF injection involves injecting carriage return and line feed characters into HTTP responses or log files to manipulate their structure, which is a different vulnerability type.
Server-Side Includes (SSI) injection occurs when an application concatenates user-supplied input directly into an HTML page that is parsed for SSI directives without proper sanitization, allowing an attacker to embed malicious SSI commands which the web server then executes. These commands can perform actions like listing directories, executing system commands, or accessing server-side variables, thus enabling unauthorized access or data manipulation.
Concept tested: Server-Side Includes (SSI) injection
Source: https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection
Topics
Community Discussion
No community discussion yet for this question.