Scanning Web Applications That Require Authentication
Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them.
For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. On the "Advanced" tab in the "Login configurations" section, enter the desired username and password in the "HTTP account" and "HTTP password" fields as shown below.
It is important to note that the password in this case could be sent in clear-text, or most likely Base64 encoded depending on the encryption method implemented by the web server. When a scan is initiated, Nessus will use the credentials specified to login to any web site requiring basic authentication. For example, a WRT54G router, that uses basic authentication on the administrative web page was scanned and the following CGI was discovered:
|Plugin output :
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/ddns.tri (ddns_enable  ddns_username  ddns_passwd  ddns_hostname  ddns_...)
Without successful authentication, none of these pages and CGI programs would be tested for vulnerabilities. In this case, you must also direct Nessus to test for the embedded web server, as the WRT54G will be identified as such. This configuration setting is located on the "Advanced" tab in the "Web application test settings", and is called "Test embedded web servers."
Form Based Authentication
The authentication for a web application is often embedded into the site using an HTML form and sent to the web server using a POST request, preferably over HTTPS. To provide an example of how to configure Nessus to authenticate using HTML forms, the web application called "Damn Vulnerable Web App" (DVWA) was scanned using Nessus. The first step was to review the site's login page and understand how it works. Browsing to the URL of the application presents the following form:
There are two ways to collect the information about the login form in order to configure Nessus to login for the scan: analyze the HTML source code or perform a packet capture and analyze the results. First, let's review how to read the HTML source code and map the form fields in the HTML to the Nessus configuration that resides in the "Adavanced" tab under "HTTP login page". The login page for the application contains the following elements: