Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Tips For Using Nessus In Web Application Testing

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.


Selecting a Target

To create a realistic testing environment our target was setup to run "Mutilidae" version 1.2, a PHP application that was written to contain vulnerabilities. Multilidae was written by "Irongeek" and contains vulnerabilities that specifically the OWASP top ten list. It contains many different types of vulnerabilities, including SQL injection, cross-site scripting (XSS) and information disclosures.

Selecting Plugins

When tuning Nessus for web application testing, you can select the plugin families that are relevant to your test. This saves time and makes for a more efficient scan. However, for a more thorough scan, you can leave all plugin families enabled and let Nessus choose the best plugins. For this scan, I have enabled the following plugin families:

  • CGI abuses - This plugin family checks for anything that is ‘CGI’ related, unless it is XSS (and only a XSS vulnerability), in which case it falls into the "CGI abuses : XSS" family. These checks use a combination of detection techniques, including checking version of the application and testing for the actual vulnerability. The attacks include software detection, information disclosure, XSS, SQLi, LFI, RFI, overflows and more.
  • CGI abuses : XSS - Specific CGI checks for reflective and persistent XSS vulnerabilities in common web applications.
  • Database - Typically a web server will run a database that is used by various web applications.
  • FTP - Web pages need to be updated, and FTP is a popular protocol used to allow your web developers to send files to the server.
  • Gain a Shell Remotely - If you can obtain a shell on the remote web server, testing the application is somewhat moot.
  • Gain root remotely - Same thing as above, if you gain root, resolve this problem before the application is tested.
  • General - Contains the operating system fingerprinting plugins, including ones that will identify the OS over HTTP. Identifying the underlying operating system is very important for web application testing, as it will determine the syntax of commands sent via injection (command and SQL) attacks.
  • Remote file access- Includes checks for specific web server/application vulnerabilities that lead to remote file disclosure.
  • Service detection - Contains checks for several different services, including detecting Apache running HTTPS, HTTP CONNECT proxy settings and other services that may host web applications.
  • Web servers - Plugins in this family detect approximately 300 specific vulnerabilities in popular web servers, such as Apache, IIS and generic vulnerabilities associated with the HTTP protocol itself.

Configuring the Scan Policy

In the “Advanced” settings tab, go to the "Global variables settings" and enable the following options:



The "Enable CGI scanning" checkbox causes Nessus to search the web server for known CGI applications and associated vulnerabilities. "Enable experimental scripts" allows Nessus to test for vulnerabilities that use new techniques. The "Thorough tests (slow)" expands your testing when it comes to web applications and allows the the plugin to "try harder" on various tests. This enables more exhaustive SQL injection testing, and it will tell more about CGI applications. By default, Nessus will only store and test the last 8 CGI applications found. With thorough testing enabled, Nessus will store and test up to 1024 CGI locations.

Next, select "Web mirroring" from the pull-down menu:



In the "Start page" field, enter the location of the web application that you wish to test. Nessus will detect several different web applications and enumerate common directories on the web server. However, it cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of applications that will be tested by the CGI scanner and other plugins.

Next, select "Unknown CGI Argument Input Validation Tests (toturecgis) from the pull-down menu:



Select the check box to send POST requests. This will expand the testing that Nessus can do beyond just GET requests. This is important for web application testing as many vulnerabilities could exist in the web application that are only triggered by sending a POST request. By checking this option, it will increase the amount of time for the scan to complete.


After scanning the web application with the above settings, I noticed several plugin results of interest. The first plugin that was triggered was 26194, "Web Server Uses Plain Text Authentication Forms":



Nessus finds three separate pages that are transmitting fields labeled "password" in clear-text, as the application is not using SSL.

The next plugin is 10662, "Web mirroring" which attempts to mirror the remote web site based on the parameters ("/mutillidea") that we provided:



The web mirroring finds not only additional directories ("/mutillidae/images/"), but several CGI applications as well. In a web application assessment, the tester would use the provided CGI values above to perform manual or automated testing to determine the security posture of the web application. Nessus can perform some of this testing for you with plugin 10672, "Unknown CGI Argument Input Validation Tests (torturecgis)":



The above plugin output identifies a couple of different CGI scripts that have security problems, such as traversals and XSS. Nessus chose to test the "logout" function, which is vulnerable to both XSS and remote file disclosure. By changing the syntax of the request slightly we can change this into a successful attack that reads the "/etc/passwd" file. Below we use the syntax of "index.php?page=/etc/passwd" and successfully execute the attack:




While Nessus is not specifically designed for application scanning, it can be a valuable aid in performing pre-deployment scans before bringing applications online. Nessus is a fast and efficient way to identify which applications are on the network and if they are vulnerable to common exploits. This helps to quickly identify applications that may need rudimentary security fixes before more detailed manual testing is performed. Nessus can automate the process of discovering applications and common software, discovering the versions running and checking to see if they are vulnerable. The CGI scanner does a good job of basic "fuzzing" of the parameters of the discovered CGI applications to uncover attacks such as XSS and remote file disclosure. Again, while Nessus does not replace your web application testing tool, or completely replace your web application testing methodology, it is a valuable tool in the web application assessment process, especially for blind testing of large environments with several web servers and multiple applications.




Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.