Tenable Blog

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

• Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
• Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:

Tenable Network Security presents a unique opportunity to see three of the industry’s visionary leaders during one free event at the Embarcadero Center in San Francisco. 

Scheduled to present during this half-day event are:

• Renaud Deraison (Creator of Nessus®, Tenable Co-founder and CRO)
• Ron Gula (Creator of the Dragon IDS, Tenable Co-founder and CEO/CTO)
• Marcus J. Ranum (Creator of the proxy firewall, NFR founder and Tenable CSO)

Topics covered will include:

• Nessus overview and future plans
• The advantages of pairing active and passive scanning
• An overview and discussion of current security strategies and new industry trends
• The past, present and future of regulatory compliance
• Tenable Network Security product/solutions overview

Welcome to the Tenable Network Security Podcast - Episode 45

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Blackhat 2010 Round Up -
  • Security Metrics - Is This Network Getting Better?
• The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed:
• Sales Engineer
• Regional Sales Manager
• Inside Sales Representative
• Tenable Nessus Trainer
• Customer Support Engineer
• Quality Assurance Analyst/Engineer
• Compliance Auditor
• Vulnerability Research Engineer
• Linux Appliance Engineer
• Flex/Flash Developer
• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Tenable was in attendance for Black Hat 2010 in Las Vegas last week. In addition to having a vendor’s booth, we presented four days of Nessus training, our very own Carole Fennelly organized Hacker Court and we hosted a party at Margaritaville. Below are some pictures and more details on the events:

Intro

The first time I was asked to scan a Class B network, my initial reaction was “Are you kidding me?” I actually thought it was a trick question to see how I reacted to unexpected situations. I had just two weeks to develop a strategy and perform the scan. This seemed to be a daunting task.

Ten years later, I had provided assessments for Class B (or bigger) networks over a dozen times, mostly for government agencies and the occasional university. Performing an audit of tens of thousands of IP addresses is no different from any other audit, unless time is restrictive. Large IP blocks in small time periods require you to revise your normal assessment methodology. Where you typically scan 65,535 ports on a machine, you may only be able to scan a dozen or two. Instead of examining every open port on a machine, time constraints may force you to focus on low-hanging fruit and services that are prone to high-risk vulnerabilities.

Developing a Methodology

Thinking about the polar opposites in assessment, you have a single IP address on one side, and a Class B network on the other. Adjusting your methodology to account for the number of machines becomes a balancing act between allotted time and number of targets. As the number of systems to scan increases, while the time allocated to scan remains constant, the amount of time per system must decrease.