Details
Alert Id 40009
Alert Type Active Scan Rule
Status release
Risk High
CWE 97
WASC 31

Summary

Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed.

Solution

Do not trust client side input and enforce a tight check in the server side. Disable server side includes.

References

Code

org/zaproxy/zap/extension/ascanrules/ServerSideIncludeScanRule.java