Details
Alert ID 40009
Alert Type Active
Status release
Risk High
CWE 97
WASC 31
Technologies Targeted OS / Linux
OS / MacOS
OS / Windows
Tags CWE-97
OWASP_2017_A01
OWASP_2021_A03
POLICY_API
POLICY_DEV_FULL
POLICY_DEV_STD
POLICY_PENTEST
POLICY_QA_CICD
POLICY_QA_FULL
POLICY_QA_STD
WSTG-V42-INPV-11
More Info Scan Rule Help

Summary

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Solution

Do not trust client side input and enforce a tight check in the server side. Disable server side includes. Refer to manual to disable Sever Side Include. Use least privilege to run your web server or application server. For Apache, disable the following: Options Indexes FollowSymLinks Includes AddType application/x-httpd-cgi .cgi AddType text/x-server-parsed-html .html.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java