Presentation "Using Nessus In Web Application Assessments"
At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:
- "Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.
- Targeted Scanning - If you are scanning internally you may want to configure scans that specifically target your web servers. Nessus has many features that can be tuned to generate more details from these scans. There are several options, such as "CGI scanning" that can test web applications for the "low hanging fruit". While Nessus does contain some functionality to test for XSS and SQL injection, it is not a replacement for manual testing or specific scans and testing that can be performed with a pure web application testing tool (or suite of tools).
Local patch and configuration auditing - When provided credentials, Nessus can log into your web and database servers and check for the latest patches and configuration settings. This is a great way to ensure that your web application environment is hardened against attacks. Auditing the configuration against industry standards, such as the OWASP Top 10 List, can help prevent successful attacks that rely on mis-configuration (such as PHP's "safe_mode" setting).
You can download the slides from the presentation and see step-by-step how to configure Nessus to scan web applications, the options available for local checking and configuration auditing, and even how to tune the audit policies with custom checks.