Presentation "Using Nessus In Web Application Assessments"
At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:
- "Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.
- Targeted Scanning - If you are scanning internally you may want to configure scans that specifically target your web servers. Nessus has many features that can be tuned to generate more details from these scans. There are several options, such as "CGI scanning" that can test web applications for the "low hanging fruit". While Nessus does contain some functionality to test for XSS and SQL injection, it is not a replacement for manual testing or specific scans and testing that can be performed with a pure web application testing tool (or suite of tools).
Local patch and configuration auditing - When provided credentials, Nessus can log into your web and database servers and check for the latest patches and configuration settings. This is a great way to ensure that your web application environment is hardened against attacks. Auditing the configuration against industry standards, such as the OWASP Top 10 List, can help prevent successful attacks that rely on mis-configuration (such as PHP's "safe_mode" setting).
You can download the slides from the presentation and see step-by-step how to configure Nessus to scan web applications, the options available for local checking and configuration auditing, and even how to tune the audit policies with custom checks.
References
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Nessus