Description
The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
Potential Impact
Confidentiality, Integrity, Availability
Execute Unauthorized Code or Commands
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Server-Side Includes (SSI) Injection
- WASC: 36 — SSI Injection
Frequently Asked Questions
What is CWE-97?
CWE-97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
How can CWE-97 be exploited?
Attackers can exploit CWE-97 (Improper Neutralization of Server-Side Includes (SSI) Within a Web Page) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-97?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-97?
CWE-97 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.