Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Scanning Web Applications That Require Authentication

Paul Asadoorian
Paul Asadoorian  |
September 21, 2009 | 9 Min Read

Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them.

Basic Authentication

For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. On the "Advanced" tab in the "Login configurations" section, enter the desired username and password in the "HTTP account" and "HTTP password" fields as shown below.



LoginConfig-BasicAuth.png

It is important to note that the password in this case could be sent in clear-text, or most likely Base64 encoded depending on the encryption method implemented by the web server. When a scan is initiated, Nessus will use the credentials specified to login to any web site requiring basic authentication. For example, a WRT54G router, that uses basic authentication on the administrative web page was scanned and the following CGI was discovered:

Plugin output :

The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/ddns.tri (ddns_enable [2] ddns_username [] ddns_passwd [] ddns_hostname [] ddns_...)
/filter.tri (action [] f_id [4] del [+sbutton.del+] summary [+share.summary+] f_nam...)
/factdefa.tri (FactoryDefaults [Yes] FactoryDefaults [] layout [en] save" [] cancel [...)
/WFilter.tri (wl_macmode1 [1] wl_macmode1 [0] wl_macmode [0] wl_macmode [1] mac_filt...)
/manage.tri (remote_mgt_https [] http_enable [] https_enable [] PasswdModify [1] ht...)
/ctlog.tri (log_incoming [+adbutton.inlog+] log_outgoing [+adbutton.outlog+] save"...)
/qos.tri (hport_priority_1 [0] hport_priority_2 [0] hport_priority_3 [0] hport_p...)
/WanMac.tri (action [] mac_clone_enable [] mac_clone_enable [] def_hwaddr_0 [00] de...)
/Basic.tri (dhcp_end [] save" [] wan_hostname [linksys_router...)
/AdvRoute.tri (action [] bSRoute [] oldOpMode [0] wk_mode [1] dr_setting [0] route_pa...)
/apply.cgi (ping [+adbutton.ping+] tracer [+adbutton.tracer+] layout [en] )
/ptrigger.tri (RuleID_0 [] service_name0 [] tfrom0 [0] tto0 [0] rfrom0 [0] rto0 [0] R...)
/dmz.tri (save" [] action [] cancel [+sbutton.cancel+] layout [en] dmz_ipaddr [0] )
/Security.tri (SecurityMode [3] layout [en] save" [] cancel [+sbutton.cancel+] )
/rstatus.tri (action [] wan_pro [0] conn_stats [4294967295] layout [en] dhcprelease ...)
/upgrade.tri (action [] file [] process [] Upgrade [+share.upgrade+] )
/fw.tri (ident_pass [] action [] block_wan [] IGMP [] _block_loopback [] _ident...)
/WBasic.tri (Freq [] save" [] channel [6] sesMode [0] cancel [+sbutton.cancel+] sub...)
/vpn.tri (action [] save" [] cancel [+sbutton.cancel+] )
/Advanced.tri (AuthType [] basicrate [all] wl_rate [] wMode [0] sectype [0] ctspmode ...)
/PortRange.tri (from8 [0] to3 [0] RuleID_7 [0] save" [] name0 [] RuleID_2 [0] pro8 [tc...)

Without successful authentication, none of these pages and CGI programs would be tested for vulnerabilities. In this case, you must also direct Nessus to test for the embedded web server, as the WRT54G will be identified as such. This configuration setting is located on the "Advanced" tab in the "Web application test settings", and is called "Test embedded web servers."

Form Based Authentication

The authentication for a web application is often embedded into the site using an HTML form and sent to the web server using a POST request, preferably over HTTPS. To provide an example of how to configure Nessus to authenticate using HTML forms, the web application called "Damn Vulnerable Web App" (DVWA) was scanned using Nessus. The first step was to review the site's login page and understand how it works. Browsing to the URL of the application presents the following form:


DVWA-Login.png

There are two ways to collect the information about the login form in order to configure Nessus to login for the scan: analyze the HTML source code or perform a packet capture and analyze the results. First, let's review how to read the HTML source code and map the form fields in the HTML to the Nessus configuration that resides in the "Adavanced" tab under "HTTP login page". The login page for the application contains the following elements:

The form action is the file in the web application that is called to perform the actual authentication. This may differ from the page that is serving the form itself, so you must enter this into the Nessus configuration in the "Login form" field. Do not forget to supply a fully qualified path and include a leading "/". In this case the "Login form" value will be "/dvwa/login.php".

The following lines show the username and password fields that will be entered into the "Login form fields" field:

<input type="text" size="20" name="username" />

<input type="password" autocomplete="off" size="20" name="password" />

Within the "input" tag look for the label "name=" and use that as the label for the username and password parameters. The parameter values are set with the "=" and separated by the "&" character.

Sidebar Discussion: HTML Form Autocomplete

The autocomplete feature for HTML form fields was first introduced (and supported) in the Microsoft Internet Explorer web browser, version 5. It allows the browser to remember the values that were entered into form fields and auto completes them for the user. This can be a useful feature when entering information into various forms, as typically the end user is prompted for the same information across multiple sites (e.g., Name, Address, Email Address). However, when applied to password fields, it can pose a security risk as the password will be stored in the browser Tenable's Passive Vulnerability Scanner (PVS) (and Nessus via the web mirror plugin) can detect this condition. If PVS sees a browser accessing a page coded without "autocomplete" disabled on password fields it will generate an alert:


PVS-Autocomplete.png

While this is considered a "Medium" level vulnerability (with a CVSS score of 4.3, the most critical being 10) it should be addressed by web application developers.

The username and password parameters can be entered as follows into the Nessus configuration:

username=admin&amp;password=password

However, there may be other parameters required before a login request is accepted. Further searching through the source code of the login page reveals an additional input parameter:

<input type="submit" value="Login" name="Login" />

This must be added to the request before the application will accept it. Now the full request will look as follows:

username=admin&amp;password=password&amp;Login=Login

In the NessusClient, the final configuration for all parameters in the Nessus configuration is:


LoginFormFields.png

If the form information is somehow not available, or it is not working because the authentication sequence is more complex and additional parameters need to be set, you can gather the same information from a packet capture. A libpcap file containing the packet capture information from the login process was opened using Wireshark to analyze the parameters:

Wireshark-HTTP-POST-sm.png

Click the above image for a larger version.

The first task is to filter the packet capture so that only HTTP POST requests are shown. This allows the login requests of the application to be analyzed, hiding all other requests and responses. The filter to accomplish this is "http.request.method matches "POST"". One packet is displayed as a result of the filter. By expanding the HTTP header information the login form values are displayed just after the "POST" command. The final piece of information needed is the data from the request, which represents all of the parameters and associated values. This information can be used to configure Nessus the same way as when the source code was analyzed.

Excluding Specific Pages

Once a scan has been properly configured with credentials, it will test the parameters inside the application that are available to authenticated users. Problems can arise in several areas, as this means that the web spider (webmirror.nasl) will try to find all of the pages within that application by visiting the links on each page discovered. The first problem encountered when scanning DVWA was the logout functionality. Since the mechanism to logout is simply a link, when the web spider runs it will "click" this link and log Nessus out of the application. Nessus will identify when problems such as this are encountered and trigger plugin 40406, CGI Generic Tests HTTP Errors:

CGI-Errors.png

To avoid this problem, the following was added to the web mirror settings in the NessusClient ("Advanced" -> "Web mirroring" -> "Excluded items regex"):

logout\.php

This successfully avoids the logout problem, and lets Nessus thoroughly test the application, and find several different web application vulnerabilities. However, while Nessus was still in the process of scanning the application I attempted to login with the admin username and was unsuccessful. To troubleshoot this problem I accessed the database and dumped the user table, specifically the entry for the "admin" user:

mysql&gt; SELECT * FROM users WHERE first_name="admin"; +---------+------------+-----------+-------+----------------------------------+ | user_id | first_name | last_name | user | password | +---------+------------+-----------+-------+----------------------------------+ | 1 | admin | admin | admin | d41d8cd98f00b204e9800998ecf8427e | +---------+------------+-----------+-------+----------------------------------+

The value "d41d8cd98f00b204e9800998ecf8427e" (after some Google searching) was recognized as the equivalent of NULL (or ""). This means that the Nessus CGI testing was accessing the fields that allows users to change their password. Further regular expressions can be added to avoid these pages; however this means a portion of the application will not be tested. If testing the password change feature or similar features is required, then it is best to use a separate test copy of the application to perform the scan, rather than a production system.

Conclusion

Determining if web applications require authentication, and configuring the scanning tools accordingly, is an important step to application testing. It will uncover many new pieces of functionality in web applications that need to be tested for vulnerabilities. Currently Nessus supports basic and form based authentication, with more authentication methods on the way (such as cookie support). When testing your applications, it is also important to monitor the scan and review the results carefully. Any problems could be a sign that the test was not completed successfully and potentially missed testing for vulnerabilities. Nessus provides users with several ways to both detect and overcome these problems.

Resources

Paul Asadoorian

Paul Asadoorian

As founder and CEO of Security Weekly, Paul remains one of the world’s foremost experts on all things cybersecurity. Security Weekly is a one-stop resource for podcasts, webcasts and other content, informing community members about penetration testing, vulnerability analysis, ethical hacking and embedded device testing. Previously, Paul served as a lead IT security specialist for Brown University, and as an instructor with The SANS Institute.

Related Articles

Tuning Network Assessments for Performance and Resource Usage

September 13, 2022

Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.

Seth Matheson

Seth Matheson

Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures

May 17, 2022

The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories. 

Cesar Rodriguez

Cesar Rodriguez

Nessus 10.0: Vulnerability Assessment for Today’s Dynamic Environments

November 2, 2021

New features are designed to offer the portability, efficiency and ease-of-use needed to protect the ever-expanding attack surface.

Michael Rothschild

Michael Rothschild

Want to Learn More about Exposure Management? Check Out This Gartner® Report

June 6, 2023

At Tenable, we believe that you need exposure management to protect your modern attack surface. But it’s not just us. We feel the Gartner “Predicts 2023: Enterprises Must Expand from Threat to Exposure Management” report is required reading for cybersecurity teams adopting an exposure management program and platform. 

Juan Perez

Juan Perez

Tenable Cyber Watch: China’s ‘Volt Typhoon’ Targets U.S. Critical Infrastructure, BEC Attacks Skyrocket, and more

June 5, 2023

This week’s edition of the Tenable Cyber Watch unpacks the White House’s updates to its National AI R&D Strategic Plan and addresses the recent surge in business email compromise scams. Also covered: CISA’s warning about Volt Typhoon, the hackers backed by the Chinese government that have been targeting U.S. critical infrastructure.

Jirah Mickle

Jirah Mickle

CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild

June 2, 2023

Discovery of a new zero-day vulnerability in MOVEit Transfer becomes the second zero-day disclosed in a managed file transfer solution in 2023, with reports suggesting that threat actors have stolen data from a number of organizations.

Satnam Narang

Satnam Narang

  • Nessus

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller | Request a Quote
Try for Free Buy Now
Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Contact Sales

Try Tenable Cloud Security

Formerly Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.

Contact a Sales Rep to Buy Tenable Cloud Security

Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try for Free Buy Now

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller | Request a quote
Try for Free Buy Now

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller | Request a quote