Member-only story
Fuzzing FastCGI With AFL-Fuzz
This is the very long tale of my adventures in fuzzing FastCGI with AFL-Fuzz. If you’re interested in fuzzing a FastCGI binary, look no further.
What is FastCGI?
FastCGI is a binary protocol. In most cases a user interacts with a web server such as nginx or lighttpd, which in turn communicates with FastCGI through a named pipe or TCP connection. FastCGI then executes code.
Why FastCGI?
I had access to a binary written in C/C++ which used FastCGI. In fact, FastCGI is used in almost every embedded device. The most popular version is FCGI 2.4.0 by OpenMarket, which is 17 years old.
There is also no documentation or research regarding fuzzing FastCGI(except this one).
FastCGI Requests
According to RFC 3875, a FCGX_Request is mainly two parts:
- envp: The envp is full of meta-variables, some of which are user controlled, others aren’t. The web server may or may not URL encode some of these meta-variables
- params: 100% user controlled and not modified
You can’t just send HTTP Requests to FastCGI, it’s a binary protocol. The hexdump of a FastCGI request looks like this:
