Edge Side Include (ESI) Injection

An ESI parser would be installed in a reverse proxy or similar architecture. ESI applies to XHTML documents, which you are not using, so I don’t understand what ESI has to do with your site. ESI implements a caching scheme so dynamic content can be injected into the document without needing to make a request to the source server. If not properly implemented, the scheme is prone to XSS and SSRF hack attacks.

Hi @bcworkz, thanks for your answer.

That’s weird. The following is the full threat description I received:

Edge Side Include (ESI) is an XML-based markup language that provides a means to assemble resources in HTTP clients. It is designed to leverage client tools like caches to improve end-user perceived performance, reduce processing overhead on the origin server, and enhanced availability. ESI allows for dynamic content assembly by processing the ESI tags. ESI is primarily intended for processing on surrogates (intermediaries that operate on behalf of the origin server, also known as “Reverse Proxies”) that understand the ESI language. Successful injection of the ESI tags in the HTTP response at the origin server can lead to Server Side Request Forgery (SSRF) or Cross-Site Scripting (XSS) attacks.

Do you know if this makes any sense?

Well, that’s pretty much what I said. I suppose a possible threat would be if someone could inject ESI tags into normal output stream, they could be leveraged into a more dangerous attack like SSRF. But if a hacker were able to inject such tags, the site is already compromised, so I don’t see how it adds additional risk. I don’t see it as an issue unless you are already using ESI tags.

Disclaimer: I’m not a computer security expert. There could be some angle I’m missing.