CWE-98 Remote File Inclusion
What this means
SiteShadow flagged inclusion of external/remote resources based on untrusted input. In some stacks this can load and execute attacker-controlled code.
Why it matters
Remote file inclusion can execute attacker-controlled code.
- RCE if the included remote content is executed/interpreted.
- Data exfiltration or SSRF-like behavior when fetching attacker-chosen URLs.
Safer examples
1) Don't include remote resources based on user input
Map user choices to known internal templates/resources.
2) Use allowlists and fixed directories
If inclusion is needed, only include from a fixed, server-controlled directory (see CWE-22/23/36).
3) Harden outbound fetching
If you must fetch remote resources, apply SSRF defenses: allowlist hosts, block private ranges, limit redirects (see CWE-918).
How SiteShadow detects it (high level)
- Detects include/load APIs where the target path/URL is derived from untrusted input.
- Flags remote URL usage in include contexts as higher risk.
References
- CWE-98: https://cwe.mitre.org/data/definitions/98.html
---