Server-Side Attacks

TL;DR

Five distinct vulnerability classes that share one property: they make the application server execute, fetch, render, or include something on the attacker’s behalf. Different bugs, different payloads, different detection - group them by what the application is being tricked into doing.

Class	Server is tricked into…	Start here
Intermediary service abuse	Routing through an unintended protocol/port (AJP, FastCGI)	Intermediary
SSRF	Issuing HTTP/protocol requests to attacker-chosen targets	SSRF
SSI / ESI injection	Parsing attacker-supplied include directives	Server-Side Includes
SSTI	Evaluating attacker-supplied template expressions	SSTI
XSLT injection	Performing attacker-controlled XML transformations	XSLT

Decision flow

1. Open port that doesn’t speak HTTP (8009, 9000, 1099, 11211) → Intermediary services
2. Parameter that takes a URL or hostname (avatar fetcher, webhook, “test connection,” PDF-from-URL) → SSRF
3. {{...}} evaluates as math ({{7*7}} returns 49) → SSTI
4. <!--#... --> directives processed by the page → SSI
5. <esi:...> tags fetched by an upstream surrogate → ESI
6. Application transforms XML you control with a stylesheet → XSLT
7. No idea where to start → SSRF - most prevalent and highest-yield

Placeholder legend

Placeholder	Meaning
<TARGET>	External target host or URL (the public-facing app)
<INTERNAL_HOST>	Internal target reachable only via SSRF/proxy
<METADATA_IP>	Cloud metadata endpoint (169.254.169.254 for AWS/Azure/GCP/Alibaba; varies elsewhere)
<PARAM>	Vulnerable parameter name
<COLLAB>	OOB callback host (Burp Collaborator, interactsh, your VPS)
<ATTACKER>	Your host for HTTP/DNS exfil and OOB callbacks
<LHOST> , <LPORT>	Reverse shell listener
<TOKEN> , <HASH>	Captured credentials, session tokens

Scope notes

Note

XXE (XML External Entity) is not in this section. XXE is server-side and frequently appears alongside the topics here, but its payload catalog (entity expansion, parameter entities, blind exfil via DTD, parser-quirk variants for libxml/Java/.NET) deserves dedicated treatment. It will get its own section. When you encounter XXE during an engagement that started here - typically via XSLT or SOAP endpoints - that’s the cross-link.

Caution

The attacks in this section reach internal infrastructure: cloud metadata, internal services, source code on disk, hash-stealing UNC paths. They escalate quickly - an SSRF on a public-facing app frequently turns into AWS credential theft and full account takeover within minutes. Confirm scope before exploiting; document the chain as you go because reproducing a multi-hop SSRF later is painful.

Operating notes

The bugs in this section often chain. SSRF reaches an internal service that is vulnerable to SSTI, which yields RCE. AJP exposes a Tomcat manager that accepts a war upload. SSI executes a command that triggers an outbound DNS request used as a confirmation channel. The decision flow above is a starting point - the real engagement is recognizing when one primitive sets up another.