Tenable Blog

Scanning web applications with Nessus offers the end user several new configuration options in the Nessus client. You should take into account:

• Number of web servers and applications being scanned
• Size of the applications (e.g. how many parameters does each CGI application have?)
• Depth and scope of the scan with respects to the type of tests being performed and how exhaustive they should be

This video demonstrates how to setup Nessus to scan a web application using the new options:

Security and usability do not mix

PHP has a horrible reputation in the security industry based on a long history of vulnerabilities and vendor resistance to fixing them and improving security practices. It suffers from a common problem; the technology is designed to be easy to use, and therefore a high level of security is difficult to achieve. Many who are new to web application programming use PHP, but often do not pay attention to security. In addition poor developer coding practices, PHP itself presents many vulnerabilities in its default configuration even when seemingly harmless coding practice is in use. This leaves a plethora of vulnerable applications, some home grown, many open-source and some commercial. As a result, many of these applications suffer from web application specific vulnerabilities. To give you an idea of just how many PHP specific vulnerabilities there are, I ran some searches on the OSVDB web site. Below are the results:

Finding the Needle in the Haystack

It is important to know what applications and services are in your environment to properly evaluate risk. Recently, a question was posed about detecting phpMyAdmin, a popular application for managing MySQL databases. We've previously explored how this application could be used to take over a system, demonstrating the risk this application may pose. There are several actions to perform when searching for applications on your network (in this case we are searching for a web application). This blog post describes how Nessus can be used to perform the following actions:

1. Detect if the application is running
2. Test for known vulnerabilities
3. Detect if the application is patched
4. Evaluate the authentication mechanism
5. Find any unknown flaws
6. Check the security configuration of the host

Backtrack 4 is a Linux distribution and “Live CD “ (a bootable operating system on CD or DVD) that is designed for penetration testers. It contains a wide array of tools for performing penetration tests, web application assessments and reverse engineering. It is a simple process to get the latest version of Nessus installed and running on Backtrack 4.

There are two ways to create a Backtrack 4 bootable drive: create the partitions manually or run the install.sh program. I highly recommend running the install.sh program to perform a full installation of Backtrack 4. While you can boot the distribution from a manually partitioned CD or USB thumb drive, the file system is only temporary and you will lose changes on certain partitions. To avoid having to install Nessus each time you boot, you can install Backtrack 4 on any device, hard drive or USB thumb drive, and have a completely writable file system. You will need to boot Backtrack 4 and click on the "install.sh" icon on the desktop:

Your organization's network is a never-ending source of vulnerability information. New systems and applications are constantly being added, making the job of consistent vulnerability identification and risk management difficult. Tenable provides several tools to assist in this process. Nessus, combined with the Security Center, can provide detailed information about the vulnerabilities in your environment. The problem that many administrators face is that they are not always successful in getting management to recognize problems and provide resources for remediation. This blog post describes some tactics I have compiled over the years to help expedite this process.