Zen and the Art of Nessus Web Application Scanning
Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:
- Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
- Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.
The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!
Web Application Test Settings
Highlighted in red are two options that direct Nessus to be more comprehensive:
Enable CGI Scanning
As stated previously, this option causes Nessus to execute both the "CGI Abuses" and "CGI Abuses : XSS" plugin families. Since it is testing for known vulnerabilities, the impact on performance is not as significant as enabling the web application tests that perform parameter fuzzing. I highly recommend that you enable this option on at least some of your regular scans. If you are a penetration tester and use Nessus as part of an assessment, enable this option. Again, it may take a bit longer for your scan to run, but your results will be more comprehensive.
Thorough Tests (slow)
As the name implies, the “Thorough Tests” option directs Nessus to "try harder", but will have a negative impact on speed. However, for web application testing it will cause the plugins to be more thorough by executing more attack strings and checking for applications and vulnerabilities in more locations than just the default location.
By default, Nessus will not search for and follow HTML links on web pages to enumerate the application files and directories. This is an important step, as it helps Nessus find more content on the web server to test. Checking "Follow dynamic pages" causes Nessus to do a more thorough job of finding web applications and known or unknown vulnerabilities.
Web Application Testing - Fuzzing
Checking the box titled "Enable web application tests" tells Nessus to fuzz the parameters of all CGI scripts found by the web mirroring plugin:
More detailed information about the options for web application tests can be found in the Nessus documentation and in the Tenable course titled "Advanced Vulnerability Scanning Techniques Using Nessus".
New Web Application Plugins
The following plugins were recently added and are part of the web application tests (fuzzing) functionality in Nessus:
- CGI Generic On Site Request Forgery Vulnerability - This vulnerability is a variation on CSRF (Cross Site Request Forgery), but uses the application itself to trick users into running code from the application. An excellent write-up can be found on the Portswigger Blog.
- CGI Generic Redirection Vulnerability - This vulnerability is very similar to XSS, except it uses an open redirect to bring a user to a different web site or run code of the attacker's choosing inside a browser.
- CGI Generic Injectable Parameter Weakness - This plugin injects random strings into the parameters of a web application, then searches for them on the resulting page. If Nessus finds that it can send a request with random strings and finds it on the resulting page, it triggers an alert. This could be used to discover XSS vulnerabilities within the application.
Another one of my new favorite web application testing plugins is:
- CGI Generic Unseen Parameters Discovery - This is a great technique to trick the web application into displaying information useful to an attacker:
By sending requests with additional parameters such as 'admin', 'debug', or 'test' to CGI scripts hosted on the remote web server, Nessus was able to generate at least one significantly different response even though the parameters themselves do not actually appear in responses.
For example, by setting "&debug=1" on a request to a web application, you may get something like this:
docRoot : /var/www/myapplication
currentDir : /var/www/myapplication/includes/templates/css
file-relative URI : ../images/icon_shipping.png
path prepended : /var/www/myapplication/includes/templates/css/../images/icon_shipping.png
docroot stripped : /includes/templates/css/../images/icon_shipping.png
traversals removed : /includes/templates/images/icon_shipping.png
file-relative URI : ../images/icon_zoom.gif
path prepended : /var/www/myapplication/includes/templates/css/../images/icon_zoom.gif
docroot stripped : /includes/templates/css/../images/icon_zoom.gif
File path disclosure is very useful information, especially when trying to execute other attacks such as local file inclusion or directory traversals.
Nessus provides several different ways to test your web applications. It can provide the full spectrum of vulnerability enumeration, including network vulnerabilities, web server vulnerabilities, both known and unknown web application vulnerabilities and even configuration auditing of your web application platform.