Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

AWAF/ASM Server Technology "CGI"

Feren
Nimbostratus
Nimbostratus

Hello experts,

I am not a web ddveloper and am confused by AWAF/ASM Server Technology "CGI" and don't know if I am to include it in as ASP. Is there a definitive indicator for such ?

Wikipedia states "A common convention is to have a cgi-bin/ directory at the base of the directory .." and "CGI scripts are consistently given the extension .cgi ..." seems clear - so, if my web server has this, then I should include "CGI" Server Technology in ASP?

What about "php-cgi/" - are Attack Signatures for this included in "PHP" Server Technology or do I also need "CGI" in ASP?

/Feren

2 REPLIES 2

xRes
Cirrus
Cirrus

Hi Feren

You should include both CGI and PHP in your "Server Technologies". PHP can be used as a module or CGI program. Should it, but any unfortunate reason, be used as CGI, then the server can be open to vulnerabilities you should worry about. The usage of PHP does not imply CGI - and vice versa.

Use this link as reference to short description of server technologies: https://clouddocs.f5.com/products/waf-declarative-policy/server_technology.html

Regards

xRes

Feren
Nimbostratus
Nimbostratus

Hi xRes,

my issue is that I don't know if "CGI" SHOULD be included. I can attack plenty of "Server Technologies" to an ASP on off-chance that they may be pertinent, but I want to know if I can identify "CGI" as being used - hence, I highlighted "php-cgi/" path (as one possibility) but am seeking alternative flags or gingerprints for such.

/Feren