An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.

Click for larger image

The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:

• External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports are scanned for on each target.

I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

Have you ever wanted to run an external Nessus vulnerability audit of your DMZ but didn’t have access to a Nessus scanner located on the outside of your network? Tenable Network Security now offers the Nessus Perimeter Service, offering unrestricted and unlimited vulnerability scans through annual and thirty day subscriptions. 

Scan any number of Internet facing sites you are authorized to scan from your desktop computer, mobile laptop, iPhone, customer network or wherever is convenient, as often as you want, all for a flat fee. And best of all – if you are a Nessus user, you already know how to use our service. Subscribers of the Nessus Perimeter Service are logged into the Nessus scanners hosted in Tenable’s secure datacenter. 

The Nessus Perimeter Service supports all of the major features of Nessus including:

• Rapid and Accurate Discovery of Systems and Vulnerabilities
• Vulnerability Scan Scheduling
• Support for the Nessus iPhone App
• Preparing for PCI-DSS Vulnerability Audits
• In-depth Web Application Scanning
• Highlighting vulnerabilities which have public exploits
• Patch and Configuration Auditing for web servers and many other devices
• Executive, Detailed and Differential reports
• Sharing results with Tenable’s SecurityCenter and 3^rd party SIEM and GRC solutions 

Pricing for the annual and thirty day subscriptions to the Nessus Perimeter Service set a new benchmark for value in the managed scanning industry:

1 Year Nessus Perimeter Service Subscription Unlimited Scans $3600

30 Day Nessus Perimeter Service Subscription Unlimited Scans $995

Both services can be purchased on Tenable’s Online store. 

The service includes access for one user account to perform scans and analyze results. Access to Tenable’s ticketing system for world-wide Nessus support is also available 24x7. The Nessus Perimeter Service also makes use of the very latest Nessus plugins developed by Tenable’s world renowned Research team. 

To learn more about this offering, please contact our sales staff, read the Nessus Perimeter Service FAQ or watch this introductory video. If you would like to run Nessus on your own hardware, commercial organizations should consider the Nessus ProfessionalFeed. If you are a large organization and are considering SIEM or GRC solutions, you should also consider the Tenable SecurityCenter. 

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Advanced Web Application Scanning Using Nessus":

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Basic Web Application Scanning Using Nessus":

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Integrating Nikto with Nessus":

When installing Nikto on Linux systems, here are a few tips:

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

• Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
• Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:

Web application auditing is really difficult if you don’t know about the presence of a website or specific application. You may not know about a web server. You may not know what applications run on that single web server. You may even have malicious websites installed on your network by malware or Trojans. Nessus is great for scanning and finding web servers, even on uncommon ports, but you need to scan often to get the most benefit. Fortunately, Tenable’s Passive Vulnerability Scanner (PVS) can discover new web servers and all of their active web sites in real-time and without any impact to your network. This blog discusses how the PVS can be used to audit networks to find all authorized and malicious websites in use.

Providing credentials to Nessus so that it can log into the systems being scanned is a very effective method of vulnerability scanning. It enables the scanner to provide a patch audit, perform local operating system identification, portscanning, and audit the configuration files present on the target. For web application testing, credentials allow Nessus to enumerate and detect vulnerabilities inside the application, ensuring that a larger percentage of functionality is tested. The following two videos cover how to perform both network-based credentialed scanning, and provide credentials for web application scanning using Nessus 4.2.

Network-based Credentialed Scanning & Patch Auditing

Plugins, Glorious Plugins

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:

Scanning web applications that require credentials can be a bit tricky as different applications may handle the authentication process in different ways. Nessus has configuration options that will allow you to define the authentication parameters for each application. Nessus also allows users to define pages that are not to be accessed during the web mirroring process, such as "logout.php", which prevents Nessus from being logged out of the application.

We have produced a video demonstration that walks you through configuring authentication for your web application Nessus scans:

A complete blog post was also published on this topic titled "Scanning Web Applications That Require Authentication".

At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:

"Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.

Web sites have a way of evading vulnerability scanners in the form of virtual hosting. It is a common practice to host multiple web-sites (and associated applications) on a single web server using only one IP addresses. This causes problems for vulnerability scanners, including Nessus, as they look for vulnerabilities on the single IP or hostname provided. The remote server directs this traffic to a specific virtual host or web application, leaving a considerable amount of virtual real-estate untouched. The problem is that Nessus has no easy way to enumerate the domain names or additional IP addresses associated with a given system. Scanning every hostname, domain name and IP address associated with the server could reveal additional vulnerabilities in the web applications or hosts associated with the given server. For example, when scanning just a single IP address in the lab, I received the following result:

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.