Edge Side Include injection
Description
Edge Side Include (ESI) Injection occurs when an attacker can inject malicious ESI tags into HTTP responses that are processed by caching servers or reverse proxies. ESI is an XML-based markup language used by content delivery networks and caching solutions to dynamically assemble web pages from cached fragments. When user-controlled input containing ESI tags is reflected in responses without proper sanitization, caching servers interpret these tags as legitimate instructions, leading to unintended server-side operations and potential security breaches.
Remediation
Implement the following security measures to prevent ESI injection attacks:
1. Input Validation and Sanitization: Apply strict validation to all user input before including it in HTTP responses. Reject or encode input containing ESI-specific characters and tag patterns such as <esi:.
2. Context-Aware Output Encoding: Encode user-controlled data based on the context where it appears. For HTML contexts, encode characters like <, >, ", and '.
Example (Java):
String userInput = request.getParameter("input");
String safeOutput = StringEscapeUtils.escapeHtml4(userInput);
response.getWriter().write(safeOutput);
3. Disable ESI Processing: If ESI functionality is not required, disable ESI processing in your caching server or reverse proxy configuration.
4. Content Security Policy: Implement restrictive Content Security Policy headers to limit the impact of potential script injection.
5. Security Testing: Regularly test your application for ESI injection vulnerabilities by attempting to inject common ESI tags like
<esi:include src="..." /> in user input fields and monitoring server behavior.