Plugin Highlight - Web Application Tests : Load Estimation (ID 33817)

Web application testing with automated scanners can be tricky business. While testing various target web servers, I found that some targets seemed to finish in a relatively short period, while others took days - or never seemed to complete at all. This occurred despite the fact that I often used identical test settings and relatively conservative scan settings for the different targets.

While troubleshooting this apparent disparity, I came across a useful plugin that helped me see a little of what was going on in the background. The plugin is Nessus Plugin ID 33817 “Web Application Tests : Load Estimation”.

Here is the plugin synopsis/description:

Synopsis

Load estimation for web application tests.

Description

This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself.

The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.

A useful trick that I found was running two scans for each web application test. In the first scan, I would enable only plugin 33817, along with some related settings described in the table below, so I could get a feel for the best possible scan settings along with the approximate time required for the actual scan. After running the estimation scan, I could then run the full scan with reasonable expectation of the amount of time it would take.

Here’s sample output from a typical “Load Estimation” scan of a web server running Mutillidae:

Plugin Output

Here are the estimated number of requests in miscellaneous modes for the GET method only:

[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

arbitrary command execution  :  S=5350       SP=487550     AP=16772900   SC=>2G       AC=>2G

format string                :  S=428        SP=39004      AP=1341832    SC=>2G       AC=>2G

header injection             :  S=428        SP=39004      AP=1341832    SC=>2G       AC=>2G

SSI injection                :  S=642        SP=58506      AP=2012748    SC=>2G       AC=>2G

unseen parameters            :  S=7490       SP=682570     AP=23482060   SC=>2G       AC=>2G

RS                           :  S=1712       SP=156016     AP=5367328    SC=>2G       AC=>2G

blind SQL injection          :  S=2568       SP=234024     AP=8050992    SC=>2G       AC=>2G

SQL injection                :  S=5778       SP=526554     AP=18114732   SC=>2G       AC=>2G

directory traversal (extended test):  S=10272      SP=936096     AP=32203968   SC=>2G       AC=>2G

directory traversal          :  S=6206       SP=565558     AP=19456564   SC=>2G       AC=>2G

directory traversal (write access):  S=428        SP=39004      AP=1341832    SC=>2G       AC=>2G

local file inclusion         :  S=856        SP=78008      AP=2683664    SC=>2G       AC=>2G

web code injection           :  S=214        SP=19502      AP=670916     SC=>2G       AC=>2G

DOM XSS                      :  S=214        SP=19502      AP=670916     SC=>2G       AC=>2G

persistent XSS               :  S=856        SP=78008      AP=2683664    SC=>2G       AC=>2G

cross-site scripting (quick test):  S=4280       SP=390040     AP=13418320   SC=>2G       AC=>2G

XML injection                :  S=214        SP=19502      AP=670916     SC=>2G       AC=>2G

Here are the estimated number of requests in miscellaneous modes for both methods (GET & POST):

[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]

arbitrary command execution  :  S=245000     SP=27754600   AP=966198400  SC=>2G       AC=>2G

format string                :  S=19600      SP=2220368    AP=77295872   SC=>2G       AC=>2G

header injection             :  S=19600      SP=2220368    AP=77295872   SC=>2G       AC=>2G

SSI injection                :  S=29400      SP=3330552    AP=115943808  SC=>2G       AC=>2G

unseen parameters            :  S=343000     SP=38856440   AP=1352677760  SC=>2G       AC=>2G

RS                           :  S=78400      SP=8881472    AP=309183488  SC=>2G       AC=>2G

blind SQL injection          :  S=117600     SP=13322208   AP=463775232  SC=>2G       AC=>2G

SQL injection                :  S=264600     SP=29974968   AP=1043494272  SC=>2G       AC=>2G

directory traversal (extended test):  S=470400     SP=53288832   AP=1855100928  SC=>2G       AC=>2G

directory traversal          :  S=284200     SP=32195336   AP=1120790144  SC=>2G       AC=>2G

directory traversal (write access):  S=19600      SP=2220368    AP=77295872   SC=>2G       AC=>2G

local file inclusion         :  S=39200      SP=4440736    AP=154591744  SC=>2G       AC=>2G

web code injection           :  S=9800       SP=1110184    AP=38647936   SC=>2G       AC=>2G

DOM XSS                      :  S=9800       SP=1110184    AP=38647936   SC=>2G       AC=>2G

persistent XSS               :  S=39200      SP=4440736    AP=154591744  SC=>2G       AC=>2G

cross-site scripting (quick test):  S=196000     SP=22203680   AP=772958720  SC=>2G       AC=>2G

XML injection                :  S=9800       SP=1110184    AP=38647936   SC=>2G       AC=>2G

Your mode : single, GET only, thorough tests.

As noted in the output, this plugin doesn’t actually perform any vulnerability checks. Instead, it takes the “Web mirroring (10662)” plugin results in conjunction with other web application scan settings (such as thorough tests and experimental scripts) and performs a calculation of the maximum number of checks (GET or GET/POST requests) that would be required if the scan was actually going to be performed.

In the output above, S (Single) and SP (Some Pairs) generally had a reasonable number of checks, while the SC (Some Combinations) and AC (All Combinations) each ran approximately two billion checks per category. AP (All Pairs) was somewhere in the middle, ranging from 670 thousand to almost 2 billion checks per category.

Based on this output, I would likely choose “Single” or “Some Pairs” if I needed a relatively quick web application scan or “All Pairs” if I had more time to let the scan complete (about 24 hours in this case). Running scans in either “Some Combinations” or “All Combinations” mode is simply not practical based on the number of checks per category. Further tweaking of the web mirroring or web application test settings specified in the table below could reduce the number of checks. The table below lists both required and optional settings for a “Load Estimation” scan.


Web App Load Estimation Settings

Description

Required Settings – must be set for load estimation output to work properly

Web Application Test Settings (Plugin 3941)

Plugins -> Settings

Enable web application tests checkbox

Preferences -> Web Application Tests Settings

Web Application Tests: Load Estimation (Plugin 33817)

Plugins -> CGI abuses category

Web mirroring (Plugin 10662)

Plugins -> Web Servers. Configure the desired web mirroring settings in the Preferences -> Web mirroring section. For more guidance, see this blog or the Nessus documentation available on the Tenable Support Portal.

Test SSL based services

Preferences -> Service Detection. Set this to “All” where your web application listens over SSL on non-standard ports.

Optional Settings – not required, but could affect the load estimation output

Thorough Tests

Preferences -> Global variable settings

Enable Experimental Scripts

Preferences -> Global variable settings

Test Embedded Web Servers

Preferences -> Web Application Tests Settings


In conclusion, it makes sense to analyze and optimize your Nessus settings before kicking off any web application scan. Knowing what a scan is going to do before the scan actually occurs is the key to this process. The “Load Estimation” plugin will help you on your path to web application testing “Zen”.