Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Nessus Web Application Scanning - New plugins & Configuration

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

  • Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
  • Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:

thoroughtests_sm.png

Click the image above for a larger version


Enable CGI Scanning

As stated previously, this option causes Nessus to execute both the "CGI Abuses" and "CGI Abuses : XSS" plugin families. Since it is testing for known vulnerabilities, the impact on performance is not as significant as enabling the web application tests that perform parameter fuzzing. I highly recommend that you enable this option on at least some of your regular scans. If you are a penetration tester and use Nessus as part of an assessment, enable this option. Again, it may take a bit longer for your scan to run, but your results will be more comprehensive.

Thorough Tests (slow)

As the name implies, the “Thorough Tests” option directs Nessus to "try harder", but will have a negative impact on speed. However, for web application testing it will cause the plugins to be more thorough by executing more attack strings and checking for applications and vulnerabilities in more locations than just the default location.

Web Mirroring

webmirror_sm.png
Click the image above for a larger version

By default, Nessus will not search for and follow HTML links on web pages to enumerate the application files and directories. This is an important step, as it helps Nessus find more content on the web server to test. Checking "Follow dynamic pages" causes Nessus to do a more thorough job of finding web applications and known or unknown vulnerabilities.

Web Application Testing - Fuzzing

Checking the box titled "Enable web application tests" tells Nessus to fuzz the parameters of all CGI scripts found by the web mirroring plugin:

webapptestsettings_sm.png

More detailed information about the options for web application tests can be found in the Nessus documentation and in the Tenable course titled "Advanced Vulnerability Scanning Techniques Using Nessus".

New Web Application Plugins

The following plugins were recently added and are part of the web application tests (fuzzing) functionality in Nessus:

Another one of my new favorite web application testing plugins is:

By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.

For example, by setting "&debug=1" on a request to a web application, you may get something like this:

/* Minify_CSS_UriRewriter::$debugText

docRoot : /var/www/myapplication

currentDir : /var/www/myapplication/includes/templates/css

file-relative URI : ../images/icon_shipping.png

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_shipping.png

docroot stripped : /includes/templates/css/../images/icon_shipping.png

traversals removed : /includes/templates/images/icon_shipping.png

file-relative URI : ../images/icon_zoom.gif

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_zoom.gif

docroot stripped : /includes/templates/css/../images/icon_zoom.gif

File path disclosure is very useful information, especially when trying to execute other attacks such as local file inclusion or directory traversals.

Conclusion

Nessus provides several different ways to test your web applications. It can provide the full spectrum of vulnerability enumeration, including network vulnerabilities, web server vulnerabilities, both known and unknown web application vulnerabilities and even configuration auditing of your web application platform.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training