Before delivering content to the user’s browser, the web server would first perform processing on the HTML page and then run any Server-side Include statements that were present. The script can then be utilised for the manipulation of code. While the input is being parsed through the input fields on the website, the web server does the actual execution of the script locally. The server’s directive can be very easily executed by the input. There is a possibility of SSI injection taking place because input validation has not been adequately implemented. For example, in the preceding command, we are getting the value of “whoami.” This happens when input validation is not handled properly by the application. Now, if the application does not handle input validation in an appropriate manner, an attacker can easily retrieve sensitive information from the server. If an application contains a few different input fields, then an attacker has the ability to enter different commands into each of those fields, and those commands will be carried out. If the Linux commands get executed, it means that the server is a Linux based operating system. What does SSI / Server side include ?įor example, here I am passing “whoami” as a value that is a Linux command that helps to identify the user on a system. In order to incorporate external files or to carry out CGI scripts or system actions prior to the current page being loaded or until after the page has been rendered, you will need to use an include directive. The majority of the time, SSI is utilized in situations where the developer wants to carry out minor activities in order to provide a small level of automation on a static website or to set the environment variables for CGI or computer-generated imagery. The majority of web servers, including Apache, IIS, Ngnix, LiteSpeed, and others, have support for the SSI standard. Web pages often make use of a scripting language known as SSI, which runs on the server. So, organizations do not have to worry too much about cyber attacks if they are using static websites rather than dynamic websites. The security of static web applications is much easier as they have fewer libraries and third-party content that can be exploited. Sometimes, due to the business requirements, developers need to develop a static website, but in order to enhance the functionality or look and feel of the application, developers include some dynamic directives inside static HTML pages. Photo by Nate Grant on Unsplash Introduction
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |