Certified Ethical Hacker (CEH v12) — Question 285

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files.

What is the type of injection attack Calvin's web application is susceptible to?

Answer options

• A. CRLF injection
• B. Server-side template injection
• C. Server-side JS injection
• D. Server-side includes injection

Correct answer: D

Explanation

The correct answer is D, Server-side includes injection, as this type of attack occurs when an application takes user input and incorporates it into server-side includes (SSI) directives, allowing attackers to execute arbitrary commands. Options A, B, and C refer to different forms of injection attacks that do not specifically target SSI and are not applicable in this scenario.