Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Weakness ID:97
Version:v4.17
Weakness Name:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 96
Name: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC990SFP Secondary Cluster: Tainted Input to Command
MemberOfProhibitedC1019Validate Inputs
MemberOfProhibitedC1347OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOfProhibitedC1409Comprehensive Categorization: Injection
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 990
Name: SFP Secondary Cluster: Tainted Input to Command
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1019
Name: Validate Inputs
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1347
Name: OWASP Top Ten 2021 Category A03:2021 - Injection
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1409
Name: Comprehensive Categorization: Injection
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-311Execute Unauthorized Code or Commands (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-311
Name: Execute Unauthorized Code or Commands (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1019Validate Inputs
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1019
Name: Validate Inputs
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1347OWASP Top Ten 2021 Category A03:2021 - Injection
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1347
Name: OWASP Top Ten 2021 Category A03:2021 - Injection
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC990SFP Secondary Cluster: Tainted Input to Command
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 990
Name: SFP Secondary Cluster: Tainted Input to Command
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityAvailabilityN/AExecute Unauthorized Code or Commands
N/A
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Execute Unauthorized Code or Commands
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Relationship

      This can be resultant from XSS/HTML injection because the same special characters can be involved. However, this is server-side code execution, not client-side.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AServer-Side Includes (SSI) Injection
      WASC36N/ASSI Injection
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Server-Side Includes (SSI) Injection
      Taxonomy Name: WASC
      Entry ID: 36
      Fit: N/A
      Entry Name: SSI Injection
      ▼Related Attack Patterns
      IDName
      CAPEC-101
      Server Side Include (SSI) Injection
      CAPEC-35
      Leverage Executable Code in Non-Executable Files
      ID: CAPEC-101
      Name: Server Side Include (SSI) Injection
      ID: CAPEC-35
      Name: Leverage Executable Code in Non-Executable Files
      ▼References
      Details not found