Plugin Highlight - Web Application Tests : Load Estimation (ID 33817)
Web application testing with automated scanners can be tricky business. While testing various target web servers, I found that some targets seemed to finish in a relatively short period, while others took days - or never seemed to complete at all. This occurred despite the fact that I often used identical test settings and relatively conservative scan settings for the different targets.
While troubleshooting this apparent disparity, I came across a useful plugin that helped me see a little of what was going on in the background. The plugin is Nessus Plugin ID 33817 “Web Application Tests : Load Estimation”.
Here is the plugin synopsis/description:
Synopsis
Load estimation for web application tests.
Description
This script computes the maximum number of requests that would be done by the generic web tests, depending on miscellaneous options. It does not perform any test by itself.
The results can be used to estimate the duration of these tests, or the complexity of additional manual tests.Note that the script does not try to compute this duration based on external factors such as the network and web servers loads.
A useful trick that I found was running two scans for each web application test. In the first scan, I would enable only plugin 33817, along with some related settings described in the table below, so I could get a feel for the best possible scan settings along with the approximate time required for the actual scan. After running the estimation scan, I could then run the full scan with reasonable expectation of the amount of time it would take.
Here’s sample output from a typical “Load Estimation” scan of a web server running Mutillidae:
Plugin Output
Here are the estimated number of requests in miscellaneous modes for the GET method only:
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]
arbitrary command execution : S=5350 SP=487550 AP=16772900 SC=>2G AC=>2G
format string : S=428 SP=39004 AP=1341832 SC=>2G AC=>2G
header injection : S=428 SP=39004 AP=1341832 SC=>2G AC=>2G
SSI injection : S=642 SP=58506 AP=2012748 SC=>2G AC=>2G
unseen parameters : S=7490 SP=682570 AP=23482060 SC=>2G AC=>2G
RS : S=1712 SP=156016 AP=5367328 SC=>2G AC=>2G
blind SQL injection : S=2568 SP=234024 AP=8050992 SC=>2G AC=>2G
SQL injection : S=5778 SP=526554 AP=18114732 SC=>2G AC=>2G
directory traversal (extended test): S=10272 SP=936096 AP=32203968 SC=>2G AC=>2G
directory traversal : S=6206 SP=565558 AP=19456564 SC=>2G AC=>2G
directory traversal (write access): S=428 SP=39004 AP=1341832 SC=>2G AC=>2G
local file inclusion : S=856 SP=78008 AP=2683664 SC=>2G AC=>2G
web code injection : S=214 SP=19502 AP=670916 SC=>2G AC=>2G
DOM XSS : S=214 SP=19502 AP=670916 SC=>2G AC=>2G
persistent XSS : S=856 SP=78008 AP=2683664 SC=>2G AC=>2G
cross-site scripting (quick test): S=4280 SP=390040 AP=13418320 SC=>2G AC=>2G
XML injection : S=214 SP=19502 AP=670916 SC=>2G AC=>2G
Here are the estimated number of requests in miscellaneous modes for both methods (GET & POST):
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]
arbitrary command execution : S=245000 SP=27754600 AP=966198400 SC=>2G AC=>2G
format string : S=19600 SP=2220368 AP=77295872 SC=>2G AC=>2G
header injection : S=19600 SP=2220368 AP=77295872 SC=>2G AC=>2G
SSI injection : S=29400 SP=3330552 AP=115943808 SC=>2G AC=>2G
unseen parameters : S=343000 SP=38856440 AP=1352677760 SC=>2G AC=>2G
RS : S=78400 SP=8881472 AP=309183488 SC=>2G AC=>2G
blind SQL injection : S=117600 SP=13322208 AP=463775232 SC=>2G AC=>2G
SQL injection : S=264600 SP=29974968 AP=1043494272 SC=>2G AC=>2G
directory traversal (extended test): S=470400 SP=53288832 AP=1855100928 SC=>2G AC=>2G
directory traversal : S=284200 SP=32195336 AP=1120790144 SC=>2G AC=>2G
directory traversal (write access): S=19600 SP=2220368 AP=77295872 SC=>2G AC=>2G
local file inclusion : S=39200 SP=4440736 AP=154591744 SC=>2G AC=>2G
web code injection : S=9800 SP=1110184 AP=38647936 SC=>2G AC=>2G
DOM XSS : S=9800 SP=1110184 AP=38647936 SC=>2G AC=>2G
persistent XSS : S=39200 SP=4440736 AP=154591744 SC=>2G AC=>2G
cross-site scripting (quick test): S=196000 SP=22203680 AP=772958720 SC=>2G AC=>2G
XML injection : S=9800
SP=1110184 AP=38647936 SC=>2G AC=>2G
Your mode : single, GET only, thorough tests.
As noted in the output, this plugin doesn’t actually perform any vulnerability checks. Instead, it takes the “Web mirroring (10662)” plugin results in conjunction with other web application scan settings (such as thorough tests and experimental scripts) and performs a calculation of the maximum number of checks (GET or GET/POST requests) that would be required if the scan was actually going to be performed.
In the output above, S (Single) and SP (Some Pairs) generally had a reasonable number of checks, while the SC (Some Combinations) and AC (All Combinations) each ran approximately two billion checks per category. AP (All Pairs) was somewhere in the middle, ranging from 670 thousand to almost 2 billion checks per category.
Based on this output, I would likely choose “Single” or “Some Pairs” if I needed a relatively quick web application scan or “All Pairs” if I had more time to let the scan complete (about 24 hours in this case). Running scans in either “Some Combinations” or “All Combinations” mode is simply not practical based on the number of checks per category. Further tweaking of the web mirroring or web application test settings specified in the table below could reduce the number of checks. The table below lists both required and optional settings for a “Load Estimation” scan.
|
Web App Load Estimation Settings |
Description |
|
Required Settings – must be set for load estimation output to work properly |
|
|
Web Application Test Settings (Plugin 3941) |
Plugins -> Settings |
|
Enable web application tests checkbox |
Preferences -> Web Application Tests Settings |
|
Web Application Tests: Load Estimation (Plugin 33817) |
Plugins -> CGI abuses category |
|
Web mirroring (Plugin 10662) |
Plugins -> Web Servers. Configure the desired web mirroring settings in the Preferences -> Web mirroring section. For more guidance, see this blog or the Nessus documentation available on the Tenable Support Portal. |
|
Test SSL based services |
Preferences -> Service Detection. Set this to “All” where your web application listens over SSL on non-standard ports. |
|
Optional Settings – not required, but could affect the load estimation output |
|
|
Thorough Tests |
Preferences -> Global variable settings |
|
Enable Experimental Scripts |
Preferences -> Global variable settings |
|
Test Embedded Web Servers |
Preferences -> Web Application Tests Settings |
In conclusion, it makes sense to analyze and optimize your Nessus settings before kicking off any web application scan. Knowing what a scan is going to do before the scan actually occurs is the key to this process. The “Load Estimation” plugin will help you on your path to web application testing “Zen”.
Related Articles
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
