Next up on our Nessus top ten list is #8, which covers how to use Nessus to find web application vulnerabilities. I've broken out the process into four different methods supported by Nessus:
1. Test For Known Vulnerabilities
Nessus contains over 2,600 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses: XSS" plugin families is written to enumerate vulnerabilities that have been publicly reported in a web application product, whether open source or commercial. To enable these plugins you must enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute unless CGI scanning is enabled.
Below is an example of one such plugin's output:
The vulnerability is publicly known, and was identified by Nessus plugin 53449. To the right you can see the exploit in action. Script code placed in the "siprop" parameter is displayed on the resulting web page. The web server appears to be escaping characters needed for the code to execute, however this example proves that the vulnerability does, in fact, exist. Further manual testing would be required to construct an exploit which bypasses the web server filtering.
2. Test For Previously Unknown Vulnerabilities (Fuzzing)
This method of scanning uses fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application that is discovered during a crawl will be tested for SQL injection, cross-site scripting, file inclusion and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus 4.4 User Guide.
Below is an example of a vulnerability discovered by Nessus using fuzzing techniques:
The plugin output above shows that Nessus found a SQL injection vulnerability in an application. The "forumid" parameter is calling a SQL “SELECT” statement. When a single quote character is placed inside that parameter, a SQL error message is displayed. You can see the error message returned below:
From here, the SQL injection point requires more testing to determine the exact SQL syntax required to read or write data and even execute commands. (NOTE: This is not a “new” vulnerability, it has been previously disclosed. Nessus does not contain a plugin specifically for this vulnerability, as its in a web application not in widespread use, and the vulnerability requires credentials to be discovered).
3. Credentialed Application Testing
Once you supply credentials to a web application, there is a whole new world of functionality, pages and parameters to test. Nessus makes it easy to apply credentials to your web applications. Below is an example:
Log into the application and find text that only appears when you are logged in:
Configure Nessus to login to the application, entering the text to look for indicating successful authentication:
Configure the web mirroring plugin (the "web spider" component to Nessus) to skip any pages that contain the name "logout":
Once the scan is complete, check the output of Nessus plugin 11149:
Now you can detect vulnerabilities that are only present upon successful login!
4. Configuration Auditing Web Application Frameworks
Using the OWASP Best Practice Guide for PHP, you can audit the settings used by your PHP applications. Below is an example of a server that has several security-related configuration problems:
By logging into the system, the configuration audit policy looked at the settings contained in the php.ini file. There are several settings that determine the security level of your PHP applications. This is yet another dimension to your web application security that Nessus can help you with.
Enterprise Web Application Assessments
Using SecurityCenter's Dashboard feature, I created a custom view showing the most vulnerable web servers in my environment:
Organizations, especially larger ones, share the common problem of having hundreds of web applications, and needing a way to prioritize fixes. Using Nessus, you can schedule scans to look for known and previously unknown application vulnerabilities. SecurityCenter can be used to create quick and easy ways to visualize which hosts are most vulnerable, and create reports that are sent to the admins who can fix the problems.
That concludes #8 on the Top Ten Things You Didn't Know About Nessus: four ways to find web application vulnerabilities and a splash of enterprise security tips! Next up will be #7, "Nessus Detects Certain Forms of Malware".