Details
Alert Id 40009
Alert Type Active
Status release
Risk High
CWE 97
WASC 31
Tags OWASP_2017_A01
OWASP_2021_A03
WSTG-V42-INPV-11

Summary

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Solution

Do not trust client side input and enforce a tight check in the server side. Disable server side includes.

References

Code

org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java