Certified Ethical Hacker (CEH v13) — Question 225

Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files.
What is the type of injection attack Calvin's web application is susceptible to?

Answer options

• A. CRLF injection
• B. Server-side template injection
• C. Server-side JS injection
• D. Server-side includes injection

Correct answer: D

Explanation

The correct answer is D because the vulnerability arises from the use of Server-side includes (SSI) directives, which can be manipulated by attackers through remote user inputs. The other options, while related to injection attacks, do not specifically address the exploitation of SSI directives as described in the scenario.