Server Side Includes Vulnerability - SSI SCAN [TOOL]
The tool at this stage, among its core functionality, supports basic server enumeration, web form enumeration, HTML comment and SSI directive discovery, extension checking, logging scans to a file and connection to host via HTTP proxy.
SSI-Scan discovers vulnerabilities so far by two ways: the default method of sending a hardcoded SSI payload encapsulated within an HTTP POST request, or the manual method of injecting username and password forms through their respective switches. In both cases, it looks for environment variable matches in the source. Before using this tool, it is recommended you learn more about SSI injection from the following resources:
https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
http://capec.mitre.org/data/definitions/101.html
BASIC USAGE:
Starting the tool without any parameters will yield the list of
arguments and what they do.
If the default POST payload doesn't work (as in above), the tool will display a recommendation that you specifically target the forms with the --form_uname and --form_passwd switches. This will skip most of the
other enumeration functions.
For example:
The page has now clearly been proven to be injection positive. It is up to the user to manually research further into it, as SSI-Scan is not yet an exploitation tool, but likely will be in the near future.
ADVANCED USAGE:
The --logtofile
The output can then be viewed from the specified file. The --proxy
proxy). A message displaying "Using proxy server at
--listvars is a placeholder switch that displays a partial list of SSI/CGI environment variables for informative purposes and potential future use.
![Server Side Includes Vulnerability - SSI SCAN [TOOL]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimGm_ZEKR3cbgDZ5T99eFSLrR7dZ_1ayVZHPnlTWsUzy5n6kCMh7rSyXBiraTdUjOEwc0bylVDM_aUSe3XAZ-6LrDfpUmVbD2cjPiFpKJL40c5YnIZhvdySLpvXJ_iXv7bzZSuN3X_Lts/s72-c/1.jpg)