ZAP – Server Side Include

Details
Alert ID	40009
Alert Type	Active
Status	release
Risk	High
CWE	97
WASC	31
Technologies Targeted	OS / Linux OS / MacOS OS / Windows
Tags	CWE-97 OWASP_2017_A01 OWASP_2021_A03 WSTG-V42-INPV-11
More Info	Scan Rule Help

Summary

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Solution

Do not trust client side input and enforce a tight check in the server side. Disable server side includes. Refer to manual to disable Sever Side Include. Use least privilege to run your web server or application server. For Apache, disable the following: Options Indexes FollowSymLinks Includes AddType application/x-httpd-cgi .cgi AddType text/x-server-parsed-html .html.

Other Info

References

https://httpd.apache.org/docs/current/howto/ssi.html

Code

org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java