Presentation "Using Nessus In Web Application Assessments"
At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:
- "Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.
- Targeted Scanning - If you are scanning internally you may want to configure scans that specifically target your web servers. Nessus has many features that can be tuned to generate more details from these scans. There are several options, such as "CGI scanning" that can test web applications for the "low hanging fruit". While Nessus does contain some functionality to test for XSS and SQL injection, it is not a replacement for manual testing or specific scans and testing that can be performed with a pure web application testing tool (or suite of tools).
Local patch and configuration auditing - When provided credentials, Nessus can log into your web and database servers and check for the latest patches and configuration settings. This is a great way to ensure that your web application environment is hardened against attacks. Auditing the configuration against industry standards, such as the OWASP Top 10 List, can help prevent successful attacks that rely on mis-configuration (such as PHP's "safe_mode" setting).
You can download the slides from the presentation and see step-by-step how to configure Nessus to scan web applications, the options available for local checking and configuration auditing, and even how to tune the audit policies with custom checks.
References
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Nessus