Forum Discussion

Feren's avatar
Feren
Icon for Nimbostratus rankNimbostratus
Mar 25, 2022

AWAF/ASM Server Technology "CGI"

Hello experts,

I am not a web ddveloper and am confused by AWAF/ASM Server Technology "CGI" and don't know if I am to include it in as ASP. Is there a definitive indicator for such ?

Wikipedia states "A common convention is to have a cgi-bin/ directory at the base of the directory .." and "CGI scripts are consistently given the extension .cgi ..." seems clear - so, if my web server has this, then I should include "CGI" Server Technology in ASP?

What about "php-cgi/" - are Attack Signatures for this included in "PHP" Server Technology or do I also need "CGI" in ASP?

/Feren

security

2 Replies

Sort By
  • xRes's avatar
    xRes
    Icon for Cirrus rankCirrus
    Mar 25, 2022

    Hi Feren

    You should include both CGI and PHP in your "Server Technologies". PHP can be used as a module or CGI program. Should it, but any unfortunate reason, be used as CGI, then the server can be open to vulnerabilities you should worry about. The usage of PHP does not imply CGI - and vice versa.

    Use this link as reference to short description of server technologies: https://clouddocs.f5.com/products/waf-declarative-policy/server_technology.html

    Regards

    xRes

  • Feren's avatar
    Feren
    Icon for Nimbostratus rankNimbostratus
    Mar 28, 2022

    Hi xRes,

    my issue is that I don't know if "CGI" SHOULD be included. I can attack plenty of "Server Technologies" to an ASP on off-chance that they may be pertinent, but I want to know if I can identify "CGI" as being used - hence, I highlighted "php-cgi/" path (as one possibility) but am seeking alternative flags or gingerprints for such.

    /Feren

Related Content