« Log Management Webinar - Ranum, Gula and Selby | Main | Upcoming Webinar: Using Nessus In Web Application Testing »

Enhanced Web Application Attacks Added To Nessus

Nessus Web Attacks

The Tenable research and development team has released a new set of plugins and options to dramatically improve the web application testing functionality of Nessus. The new plugins give the end user more control over how Nessus tests for web application vulnerabilities, and expands on the types of testing that is performed. The new testing methods implement several additional CGI tests that look for different classes of vulnerabilities such as SQL injection, remote file inclusion and more. The following plugins are now available to both ProfessionalFeed and HomeFeed clients:

New Web Application Testing Functionality

These automated tests are not designed to replace a proper web application assessment or specific web application scanners, but rather find flaws that can be enumerated based on a known set of vulnerability criteria. Many of the new tests existed in some capacity before, but have been updated to include additional methods of testing, more accurate detection and a new engine that can support more concurrent tests.

The old "torturecgis.nasl" is now disabled in favor of the new plugins and would not run unless "safe_checks" was turned off. The new plugins will run if safe_checks is turned on, however they are disabled by default. Users are encouraged to enable web application tests for servers with web services and web applications.For those unfamiliar with web application testing, it can be an intensive process and considerably slower than a Nessus network vulnerability scan that is testing just the exposed services.

Web Application Settings

The new settings can be found in the advanced tab under "Web Application Tests Settings":


Nessus-WebAppTestSettings.png


Check the "Enable web applications tests" to run the enhanced web application testing. In order to manage the length of time Nessus will spend performing web application tests, you can now set the Maximum run time (in minutes). By default it is set to 60 minutes, which applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however if you plan to scan web sites with large applications, consider increasing this value. If max_checks is set very low, Nessus may not be able to run the scripts concurrently, which would significantly increase the time it takes to complete. A nice feature added to the CGI testing scripts is the ability to send POST requests in addition to GET requests, which will enable testing of HTML forms for vulnerabilities.

The next two options will allow the end user to adjust how Nessus tests each CGI script. To better understand the options, it is important to understand how Nessus tests applications. Each application test plugin has a list of attack strings that are . injected in succession for every parameter of the script (or stop as soon as a flaw is found, if configured to). While a given parameter is 'attacked', valid values as found by webmirror.nasl are provided to the other parameters. The "Combinations of arguments values" setting has three options:

  • one value - This will test one parameter at a time with an attack string, without trying non attack variations for additional parameters. For example, Nessus would attempt "/test.php?arg1=XSS&b=1&c=1" where 'b' and 'b' allows other values, without testing each combination. This is the quickest method of testing with the smallest data set generated.
  • all pairs (slower but efficient) - This form of testing tries a representative data set of tests based on the All-pairs testing method. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Nessus would attempt "/test.php?a=XSS&b=1&c=1&d=1" and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Nessus would never test for "/test.php?a=XSS&b=3&c=3&d=3" when the first value of each variable is '1'.
  • all combinations (extremely slow) - This method of testing will do a fully exhaustive test of all possible combinations of attack strings and valid input to variables. Where 'All-pairs' testing seeks to create a smaller data set as a tradeoff for speed, 'all combinations' makes no compromise on time and uses a complete data set of tests.

For most testing, and the best balance of thoroughness and speed, the “all pairs” option is the best choice. The "Stop at first flaw" options allow you to control when Nessus should stop testing a specific host or application:

  • per port (quicker) - Once Nessus finds a web application flaw, for the CGI testing only, it will stop testing all applications on this port for that host. This is handy for PCI-DSS testing, as you will fail the test if just one flaw is found.
  • per CGI - Nessus will stop once it has found a flaw in a particular CGI script. You can save time by having Nessus stop at each CGI, then go back and perform manual testing and/or source code review on the applications that failed.
  • look for all flaws - This options will cause Nessus to continue testing until it exhausts all options as defined in your settings, regardless of the number of flaws found.

The final option is whether or not Nessus will test embedded web servers and associated applications. Often times, embedded web servers are static and cannot be configured with custom CGI applications. In addition, scanning embedded web servers can be very slow and/or cause problems on the device, therefore they should be tested separately.

The old option "Enable CGI scanning" is still present; it launches the specific tests against known CGI applications, independent of the web mirroring results.

Additions have also been made to the Web Mirroring functionality in Nessus. You can find this option in the advanced tab under "Web mirroring":

Nessus-NewWebMirror.png

Two new options have been added to the web mirror functionality. It is very important to adjust settings on this tab, as Nessus will only test the pages or sites that are found by the web mirroring.

  • Excluded items regex - Allows you to exclude portions of the web site from being crawled. For example, if you do not want to crawl (or scan) "/manual" and do not want to test all your Perl CGI, set this field to: (^/manual)|(\.pl(\?.*)?$)
  • Maximum depth - Limits the number of link Nessus will follow for each start page.

Since the web application testing relies on the results from web mirroring, it is important to configure it to be as thorough as possible. Be certain to check "follow dynamic pages" so that Nessus will look at the HTML and crawl to additional pages based on the content it discovers. In addition, the "Start page" now accepts a list of pages (separated by ":") that allows you to specify areas of the web site to crawl.

Conclusion

With web application vulnerabilities being so prevalent, and widely exploited, in many organizations Nessus will greatly improve its scanning capability in this area. This update allows end users to have more control, and updates the current web application testing capabilities of Nessus that will allow it to catch more of the "low hanging fruit". Tenable would like feedback on how the new plugins perform, not only with respects to bugs and/or false positives, but success stories as well. You can go to the Nessus Discussion Forums to discuss web application scanning and all things Nessus.

Posted by Paul Asadoorian on June 23, 2009 |

Tenable Network Security

Subscribe to this blog's feed
Subscribe to my Podcast

Recent Posts

Search



  •

Categories

Archives