Web App Auditing

New Nessus Videos - Scanning With Credentials

by Paul Asadoorian
January 27, 2010

Providing credentials to Nessus so that it can log into the systems being scanned is a very effective method of vulnerability scanning. It enables the scanner to provide a patch audit, perform local operating system identification, portscanning, and audit the configuration files present on the target. For web application testing, credentials allow Nessus to enumerate and detect vulnerabilities inside the application, ensuring that a larger percentage of functionality is tested. The following two videos cover how to perform both network-based credentialed scanning, and provide credentials for web application scanning using Nessus 4.2.

Network-based Credentialed Scanning & Patch Auditing

Top 10 Nessus Plugins For 2009

by Paul Asadoorian
December 24, 2009

Plugins, Glorious Plugins

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:

Video: Web App Scanning With Credentials Using Nessus

by Paul Asadoorian
November 5, 2009

Scanning web applications that require credentials can be a bit tricky as different applications may handle the authentication process in different ways. Nessus has configuration options that will allow you to define the authentication parameters for each application. Nessus also allows users to define pages that are not to be accessed during the web mirroring process, such as "logout.php", which prevents Nessus from being logged out of the application.

Presentation "Using Nessus In Web Application Assessments"

by Paul Asadoorian
May 26, 2009

At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:

    "Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.

Scanning Multiple Apache VirtualHosts With Nessus

by Paul Asadoorian
May 12, 2009

Web sites have a way of evading vulnerability scanners in the form of virtual hosting. It is a common practice to host multiple web-sites (and associated applications) on a single web server using only one IP addresses. This causes problems for vulnerability scanners, including Nessus, as they look for vulnerabilities on the single IP or hostname provided. The remote server directs this traffic to a specific virtual host or web application, leaving a considerable amount of virtual real-estate untouched. The problem is that Nessus has no easy way to enumerate the domain names or additional IP addresses associated with a given system. Scanning every hostname, domain name and IP address associated with the server could reveal additional vulnerabilities in the web applications or hosts associated with the given server. For example, when scanning just a single IP address in the lab, I received the following result:

Tips For Using Nessus In Web Application Testing

by Paul Asadoorian
April 27, 2009

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.