Nessus Web Application Scanning - New plugins & Configuration

by Paul Asadoorian
August 23, 2010

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

  • Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
  • Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:

thoroughtests_sm.png

Click the image above for a larger version


Enable CGI Scanning

As stated previously, this option causes Nessus to execute both the "CGI Abuses" and "CGI Abuses : XSS" plugin families. Since it is testing for known vulnerabilities, the impact on performance is not as significant as enabling the web application tests that perform parameter fuzzing. I highly recommend that you enable this option on at least some of your regular scans. If you are a penetration tester and use Nessus as part of an assessment, enable this option. Again, it may take a bit longer for your scan to run, but your results will be more comprehensive.

Thorough Tests (slow)

As the name implies, the “Thorough Tests” option directs Nessus to "try harder", but will have a negative impact on speed. However, for web application testing it will cause the plugins to be more thorough by executing more attack strings and checking for applications and vulnerabilities in more locations than just the default location.

Web Mirroring

webmirror_sm.png
Click the image above for a larger version

By default, Nessus will not search for and follow HTML links on web pages to enumerate the application files and directories. This is an important step, as it helps Nessus find more content on the web server to test. Checking "Follow dynamic pages" causes Nessus to do a more thorough job of finding web applications and known or unknown vulnerabilities.

Web Application Testing - Fuzzing

Checking the box titled "Enable web application tests" tells Nessus to fuzz the parameters of all CGI scripts found by the web mirroring plugin:

webapptestsettings_sm.png

More detailed information about the options for web application tests can be found in the Nessus documentation and in the Tenable course titled "Advanced Vulnerability Scanning Techniques Using Nessus".

New Web Application Plugins

The following plugins were recently added and are part of the web application tests (fuzzing) functionality in Nessus:

Another one of my new favorite web application testing plugins is:

By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.

For example, by setting "&debug=1" on a request to a web application, you may get something like this:

/* Minify_CSS_UriRewriter::$debugText

docRoot : /var/www/myapplication

currentDir : /var/www/myapplication/includes/templates/css

file-relative URI : ../images/icon_shipping.png

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_shipping.png

docroot stripped : /includes/templates/css/../images/icon_shipping.png

traversals removed : /includes/templates/images/icon_shipping.png

file-relative URI : ../images/icon_zoom.gif

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_zoom.gif

docroot stripped : /includes/templates/css/../images/icon_zoom.gif

File path disclosure is very useful information, especially when trying to execute other attacks such as local file inclusion or directory traversals.

Conclusion

Nessus provides several different ways to test your web applications. It can provide the full spectrum of vulnerability enumeration, including network vulnerabilities, web server vulnerabilities, both known and unknown web application vulnerabilities and even configuration auditing of your web application platform.