Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

#8 Nessus Performs Web Application Scanning - Top Ten Things You Didn't Know About Nessus

Next up on our Nessus top ten list is #8, which covers how to use Nessus to find web application vulnerabilities. I've broken out the process into four different methods supported by Nessus:

1. Test For Known Vulnerabilities

Nessus contains over 2,600 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses: XSS" plugin families is written to enumerate vulnerabilities that have been publicly reported in a web application product, whether open source or commercial. To enable these plugins you must enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute unless CGI scanning is enabled.

Below is an example of one such plugin's output:

Picture100-sm.png
Click for larger image


The vulnerability is publicly known, and was identified by Nessus plugin 53449. To the right you can see the exploit in action. Script code placed in the "siprop" parameter is displayed on the resulting web page. The web server appears to be escaping characters needed for the code to execute, however this example proves that the vulnerability does, in fact, exist. Further manual testing would be required to construct an exploit which bypasses the web server filtering.

2. Test For Previously Unknown Vulnerabilities (Fuzzing)

This method of scanning uses fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application that is discovered during a crawl will be tested for SQL injection, cross-site scripting, file inclusion and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus 4.4 User Guide.

Below is an example of a vulnerability discovered by Nessus using fuzzing techniques:

Picture 103-sm.png
Click for larger image

The plugin output above shows that Nessus found a SQL injection vulnerability in an application. The "forumid" parameter is calling a SQL “SELECT” statement. When a single quote character is placed inside that parameter, a SQL error message is displayed. You can see the error message returned below:

Picture 102-sm.png
Click for larger image

From here, the SQL injection point requires more testing to determine the exact SQL syntax required to read or write data and even execute commands. (NOTE: This is not a “new” vulnerability, it has been previously disclosed. Nessus does not contain a plugin specifically for this vulnerability, as its in a web application not in widespread use, and the vulnerability requires credentials to be discovered).

3. Credentialed Application Testing

Once you supply credentials to a web application, there is a whole new world of functionality, pages and parameters to test. Nessus makes it easy to apply credentials to your web applications. Below is an example:

Log into the application and find text that only appears when you are logged in:

Picture 104-sm.png
Click for larger image

Configure Nessus to login to the application, entering the text to look for indicating successful authentication:

Picture 101-sm.png
Click for larger image

Configure the web mirroring plugin (the "web spider" component to Nessus) to skip any pages that contain the name "logout":

Picture 105.png

Once the scan is complete, check the output of Nessus plugin 11149:

Picture 106.png

Now you can detect vulnerabilities that are only present upon successful login!

4. Configuration Auditing Web Application Frameworks

Using the OWASP Best Practice Guide for PHP, you can audit the settings used by your PHP applications. Below is an example of a server that has several security-related configuration problems:

phpfail.png

By logging into the system, the configuration audit policy looked at the settings contained in the php.ini file. There are several settings that determine the security level of your PHP applications. This is yet another dimension to your web application security that Nessus can help you with.

Enterprise Web Application Assessments

Using SecurityCenter's Dashboard feature, I created a custom view showing the most vulnerable web servers in my environment:

MostVulnerableWebServers-sm.png
Click for larger image

Organizations, especially larger ones, share the common problem of having hundreds of web applications, and needing a way to prioritize fixes. Using Nessus, you can schedule scans to look for known and previously unknown application vulnerabilities. SecurityCenter can be used to create quick and easy ways to visualize which hosts are most vulnerable, and create reports that are sent to the admins who can fix the problems.

That concludes #8 on the Top Ten Things You Didn't Know About Nessus: four ways to find web application vulnerabilities and a splash of enterprise security tips! Next up will be #7, "Nessus Detects Certain Forms of Malware".

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security