Using Nessus for OWASP and PCI Web Audits
Tenable has released a technical paper named "Demonstrating Compliance with Nessus Web Application Scans". It details how OWASP Top 10 and Payment Card Industry web audits can be performed with Nessus scanners. This is a technical paper and specific attention is given as to which Nessus plugins can be used to perform various OWASP types of testing. For example, below is an excerpt from the paper's chapter on OWASP A5 - Cross Site Request Forgery:
2010 OWASP Top 10 – A5 Cross-Site Request Forgery (CSRF)
This web application weakness leverages image tags, XSS and other techniques to trick anauthenticated users to a sensitive site into submitting a request that does something potentially damaging with the user's credentials. For example, consider a web application that automatically posts a message to Twitter but requires a user to authenticate to the application. If the URL method for posting the message was known ahead of time, an attacker could craft a URL with their desired message and send it to the targeted user via XSS or embedded in an image tag. If the user clicks on the URL, their authenticated state with the application would process the URL and send the attacker's message to Twitter. There have been many examples of using CSRF to reset passwords, purchase products, generate Google AdWord hits and more.
There are multiple Nessus audits that are relevant to help ensure CSRF vulnerabilities are not exploited on your web application:
- Testing for XSS vulnerabilities with Nessus can ensure that these may not be used to perform CSRF attacks. Although not necessary to perform a CSRF attack, XSS vulnerabilities allow token-based CSRF defenses to be defeated.
- Nessus plugin #47832 performs “On Site Request Forgery Vulnerability” testing. This is a narrower form of CSRF attack testing.
- Five specific tests detect CSRF in known web applications.
The paper can be downloaded from the following link.
Tenable offers a variety of technologies to monitor web application logs, perform security assessments of web servers, passively identify web servers based on network traffic and to audit the configuration of them. A webinar recording which details Tenable's approach to continuous web application security monitoring is also available to watch at your convenience.