Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Nessus Web Application Scanning - New plugins & Configuration

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

  • Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
  • Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:


Click the image above for a larger version

Enable CGI Scanning

As stated previously, this option causes Nessus to execute both the "CGI Abuses" and "CGI Abuses : XSS" plugin families. Since it is testing for known vulnerabilities, the impact on performance is not as significant as enabling the web application tests that perform parameter fuzzing. I highly recommend that you enable this option on at least some of your regular scans. If you are a penetration tester and use Nessus as part of an assessment, enable this option. Again, it may take a bit longer for your scan to run, but your results will be more comprehensive.

Thorough Tests (slow)

As the name implies, the “Thorough Tests” option directs Nessus to "try harder", but will have a negative impact on speed. However, for web application testing it will cause the plugins to be more thorough by executing more attack strings and checking for applications and vulnerabilities in more locations than just the default location.

Web Mirroring

Click the image above for a larger version

By default, Nessus will not search for and follow HTML links on web pages to enumerate the application files and directories. This is an important step, as it helps Nessus find more content on the web server to test. Checking "Follow dynamic pages" causes Nessus to do a more thorough job of finding web applications and known or unknown vulnerabilities.

Web Application Testing - Fuzzing

Checking the box titled "Enable web application tests" tells Nessus to fuzz the parameters of all CGI scripts found by the web mirroring plugin:


More detailed information about the options for web application tests can be found in the Nessus documentation and in the Tenable course titled "Advanced Vulnerability Scanning Techniques Using Nessus".

New Web Application Plugins

The following plugins were recently added and are part of the web application tests (fuzzing) functionality in Nessus:

Another one of my new favorite web application testing plugins is:

By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.

For example, by setting "&debug=1" on a request to a web application, you may get something like this:

/* Minify_CSS_UriRewriter::$debugText

docRoot : /var/www/myapplication

currentDir : /var/www/myapplication/includes/templates/css

file-relative URI : ../images/icon_shipping.png

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_shipping.png

docroot stripped : /includes/templates/css/../images/icon_shipping.png

traversals removed : /includes/templates/images/icon_shipping.png

file-relative URI : ../images/icon_zoom.gif

path prepended : /var/www/myapplication/includes/templates/css/../images/icon_zoom.gif

docroot stripped : /includes/templates/css/../images/icon_zoom.gif

File path disclosure is very useful information, especially when trying to execute other attacks such as local file inclusion or directory traversals.


Nessus provides several different ways to test your web applications. It can provide the full spectrum of vulnerability enumeration, including network vulnerabilities, web server vulnerabilities, both known and unknown web application vulnerabilities and even configuration auditing of your web application platform.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.