Web_Application_Vul_Testing_with_Nessus_2012.02.01.pdf

The OWASP Foundation
http://www.owasp.org
Web Application Vulnerability
Testing with Nessus
Rïk A. Jones, CISSP
rikjones@computer.org

Rïk A. Jones
• Web developer since 1995 (16+ years)
• Involved with information security since 2006
(5+ years)
• Senior Information Security Analysts for Dallas
County Community College District
• CISSP and GIAC certified
• Member of the Dallas OWASP Leadership Team
• Member of the Dallas Chapter of InfraGard

|3
This is not a sales presentation
I am not affiliated with Tenable or Nessus other than
being a knowledgeable and frequent user.
I am here to show you how to use Nessus as a tool,
one of many tools I keep in my toolbox

Introduction to Nessus
Nessus is a multiple platform network and
host vulnerability scanner
Server Supported on:
• Window
• Linux
• Mac OS
• UNIX
Clients: Web based and Mobile (IOS, Android)
4

Nessus has 2 licensing models (plugin feeds)
• ProfessionalFeed
• Commercial use
• Access to support portal
• HomeFeed
• No charge
• Personal use only
• Some limits to functionality
• Only 16 IP addresses
• No compliance/audit checks
• No scan scheduling
5

Nessus Terminology
• Policy – Configuration settings for conducting a scan
• Scan – Associates a list of IPs and/or domain names with a policy
• Basic Scan (Run Now)
• Template
• Scheduled Template (ProfessionalFeed Only)
• One time or repeating
• Report – The result of a specific instance of a scan
• Plugin – A security check, or a scan settings window
• Plugin Family – A group of plugins with something in common (e.g.
FTP, Web Servers, Cisco)
6

Nessus Customization Options
• Reports Templates – Coded in XSLT
• Plugins – Coded in NASL (Nessus Attack Scripting Language)
• Audit Files – Coded in Pseudo-XML [ProfessionalFeed Only]
• Import/Export – Nessus & Nessus 2 format coded in XML. Same
format for reports and profiles
7

Logging in to Nessus
By default Nessus runs on port 8834 and can be
access with any Flash enabled Web Bowser
8

Basic Navigation
There are four navigation tabs at the top
•Reports
•Scans
•Policies
•Users
9

Reports Tab
The Reports tab list the results of scans you
have conducted, are currently running or have
imported
10

Scans Tab
The Scans tab list currently running scans,
scan templates and scheduled scans
11

Policies Tab
The Policies tab list the scan configurations
available for scans
12

Users Tab
The Users tab list users and allows the addition,
deletion or editing of users accounts
13

Creating a Basic Web
Application Scan Policy
The goal is to create a generic policy for
scanning unknown Web applications.
We will set basic settings that work for most
Web Applications
When we create an Advanced Web
application policy we will add additional
settings for a specific Web Application
14

Step 1: Go to the Policies Tab and select the
default “Web App Test” policy
15

Step 2: Click on the “Copy” button. This will
create a new Policy called “Copy of Web App
Test”
16

Step 3: Select the new policy “Copy of Web App
Test”
17

Step 4: Click on the Edit Button
18

This will open the Edit Policy screen
19

Step 5: Change the policy name
20

Step 6: Uncheck all port scanners except for
“TCP Scan” and “Ping Host”
21

Step 7: Set the Port Scan Range
• default = all common ports listed in the “nessus-services” configuration file
• all = every port (1 - 65,535)
• Specific list (e.g. 80, 443, 8080, 8009)
22

Step 8: Click on the “Plugins” Side Tab
23

This should take you to the Plugins selection
24

Step 9: Click on “Disable All” to disable all plugin
families
25

Step 10: Enable the following plugin families by
clicking on the grey dot next to the family name
26
• Backdoors
• CGI Abuses
• CGI Abuses : XSS
• Cisco
• Databases
• FTP
• Firewalls
• Gain a shell remotely
• General
• Misc.
• Netware
• Peer-To-Pear File Sharing
• SMTP problems
• Service detection
• Settings
• Web Servers
• Windows
• Windows: Microsoft Bulletins

Step 11: Click on the “Preferences” Side Tab
27

This should take you to the Preferences section
28

Step 12: Select “Global variable settings” from
the Plugin pull down menu
29

Step 13: Check the “Probe services on every
port” checkbox on “Global variable settings”
30

Step 14: Check the “Enable CGI scanning”
checkbox on “Global variable settings”
31

Step 15: Check the “Enable experimental
scripts” checkbox on “Global variable settings”
32

Step 16: Check the “Through test (slow)”
checkbox on “Global variable settings”
33

Step 17: Set the “Report Verbosity” pull-down
menu to “Verbose” on “Global variable settings”
34

Step 18: Set the “Report paranoia” pull down
menu to “Normal” on “Global variable settings”
35

Step 19: Select “Login configurations” from the
Plugin pull down menu
36

Step 20: Set the “HTTP account” and “HTTP
password” on “Login configurations” to a value
that is a common default in your environment.
37

Step 21: Select “Web Application Test Settings”
from the Plugin pull down menu
38

Step 22: Make sure that the “Enable web
application test” checkbox is checked on “Web
Application Test Settings”
39

Step 23: The “Maximum run time” on “Web
Application Test Settings” can be left at the
default of 60 min. If you see timeouts in the
result you may need to increase this value
40

Step 24: Check the “Try all HTTP methods” on
“Web Application Test Settings”
41

Step 25: Set the “Combinations of Arguments
values” pull-down menu to “some pairs”
42

Step 26: Check the “HTTP Parameter Pollution”
checkbox
43

Step 27: Set the “Stop at first flaw” pull-down
menu to “look for all flaws” or “per parameter”
44

Step 28: Un-check the “Test embedded web
servers” checkbox
45

Step 29: Select “Web mirroring” from the Plugin
pull down menu
46

Step 30: Make sure that the “Follow dynamic
pages” checkbox is checked on “Web mirroring”
47

Step 31: Select “HTTP login page” from the
48

Step 32: Check “Automated login page search”
checkbox is checked on “HTTP login page”
We will look at the other settings on this page in
the Advanced Scan policy section
49

Step 33: Click on the Submit Button in lower
right corner to save your policy
50

Create Basic Scan Template
Step 1: Click on the “Scan” tab on the top
51

Step 2: Click on the “Add” button
52

This should take you to the interface to create a
new scan.
53

Step 3: Name the Scan
54

Step 4: Set the scan Type to “Template”
55

Step 5: Select the Basic Web App policy you just
created
56

Step 6: Enter you scan target IP, domain name
or network range
57
• single IPaddress or comma separated list (e.g.,192.168.0.1,192.168.206.134)
• IP range (e.g., 192.168.0.1-192.168.0.255)
• subnet with CIDR notation (e.g., 192.168.0.0/24)
• or resolvable host (e.g., www.nessus.org).

Step 7: Click on the “Save Template” button to
save your scan template
58

Running Basic Scan Template
Step 1: Select you Basic Scan Template on the
Scans Tab
59

Step 2: Click on the Launch Button
60

“Template was successfully launched” should
appear at the top of the screen and a “running
copy” of your scan will appear in the list with a
progress bar.
61

Reviewing the Scan Report
Click on the Reports tab
63

To open the report double-click on your scan
report or select it and click on the Browse button
64

The scan report shows a list of IPs or domain
names with indication of the number of High,
Medium and Low Vulnerabilities and open ports
65

Single click on the IP address to drill into each
scanned device to get a list of open ports with
vulnerability counts
66

Single click on a port row to drill into the port to
get a list of vulnerabilities found
67

Single click on a vulnerabilities to see the details
68

To find a specific vulnerability click on the “Show
Filters” button
69

You have lot of options here. We are going to
look for a specific Plugin by ID to check for
Timeouts
70

Looking at the details of Plugin #39470 will tell
you if you need to increase your CGI run time
71

Downloading Scan Report
To download your scan report select it in the
reports list and click on the “Download” button
72

or when viewing the report click on the
download button. Note that any filters current
applied will be applied to the downloaded report
73

Select a Download format
• .nessus & .nessus(v1) can edited and re-imported (XML)
• HTML Detailed or HTML Executive Reports
• RTF
• Custom
74

Creating an Advanced Web
The goal is to create a specific policy for
scanning a known Web applications
This will be based on the Basic Web
Application Scan Policy we just created
Our target for this example will the “Damn
Venerable Web App” on the “OWASP Broken
Web Applications” VMWare image
82

Step 1: Go to the Policies Tab and select the
Basic Web Applications policy you just created
83

Step 2: Click on the “Copy” button. This will
create a new Policy called “Copy of …”
84

Step 3: Select the new policy “Copy of …”
85

Step 4: Click on the Edit Button
86

This will open the Edit Policy screen
87

Step 5: Change the policy name
88

Step 6: Change the Visibility to Private
89

Step 6: Uncheck all port scanners. We know
what port we want
90

Step 7: Set the “Port Scan Range” to only the
ports the target Web application is using. In our
example we are running on port 80
91

Step 8: Select “HTTP login page” from the
92

We will need to do some reconnaissance to get
the values for these fields.
93

Step 9: Find the Login Screen
/dvwa/login.php
94

Step 10: Enter the Login page path (not the full
URL)
95

Step 11: View source on the login page to find the
“Login Form” (action) and “Login Form Method”
96

Step 12: Enter the “Login form” path (not full
URL) based on the “action” attribute of the form
97

Step 13: Enter the “Login from method” based
on the “method” attribute of the form
98

Step 14: Determine the “Login form fields” and
values by trapping the login with tamper data or
a Web proxy
99

Step 15: Enter the “Login from fields”
Substitute %USER% for the user name
Substitute %PASS% for the password
100

Step 16: Uncheck “Automated login page
search” since we have told Nessus where the
login form is located
101

Step 17: Find criteria to confirm login
•Authenticated page path
•Text in the page HTML
102

Step 18: Enter the “Check authentication on
page” path
103

Step 19: Enter the “Authentication regex.”
This pattern allows the ”L” to be case insensitive
104

Step 20: Select “Web Application Test Settings”
from the Plugin pull down menu
105

Step 21: Increase the “Maximum run time”
value. Remember that the Basic Policy timed
out.
106

Step 22: Select “Web mirroring” from the Plugin
pull down menu
107

Step 23: Set the Start page to go to the target
Web Application
108

Step 24: Set the “Exclude Items regex” to avoid
logging out or going to places that we don’t
want to test.
109

Step 25: Click on the Submit Button in lower
right corner to save your policy
110

Create Advanced Scan
Template
Step 1: Click on the “Scan” tab on the top
111

Template
Step 2: Click on the “Add” button
112

Template
This should take you to the interface to create a
new scan.
113

Template
Step 3: Name the Scan
114

Template
Step 4: Set the scan Type to “Template”
115

Template
Step 5: Select the Advanced Web App policy you
just created
116

Template
Step 6: Enter you scan target IP, domain name
or network range
117
• single IPaddress or comma separated list (e.g.,192.168.0.1,192.168.206.134)
• IP range (e.g., 192.168.0.1-192.168.0.255)
• subnet with CIDR notation (e.g., 192.168.0.0/24)
• or resolvable host (e.g., www.nessus.org).

Template
Step 7: Click on the “Save Template” button to
save your scan template
118

Reviewing the Report for
OWASP Top Items
A1 – Injection
• SQL Injection (CGI abuses) > 11139, 42424, 42426, 42427, 42479,
43160, 51973
• XML Injection (CGI abuses) > 46196
• HTTP Header Injection (CGI abuses: XSS) > 39468, 49067
• Cookie Injection > 44135 (CGI abuses)
A2 – Cross-Site Scripting (XSS)
• Cross-Site Scripting (CGI abuses: XSS) > 10815, 39466, 42425,
47831, 46193, 49067, 51972
A3 –Broken Authentication and Session Management
• Authentication not over SSL > 26194, 34850
• Is SSL Implement Properly > 15901, 20007, 26928, 35291, 42053,
42873 , 42880, 53491, 53360, 56043, 56284, 56984, 57041
120

OWASP Top Items Cont.
A4 –Insecure Direct Object References
• Browsable Web Directories > 40984
• Path Transversal (CGI abuses)> 50494
• Parameters identified for manual testing > 40773, 44134, 47830 *
A5 –Cross-Site Request Forgery (CSRF)
• CGI Generic On Site Request Forgery (OSRF) > 47832
• Specific Product checks with known CSRF Vulnerabilities
A6 –Security Misconfiguration
• Covered by Nessus Audit Checks in the ProfessionFeed
• Identifies Open ports and services for manual review
• Many checks for default accounts and passwords
121

OWASP Top Items Cont.
A9 –Insufficient Transport Layer Protection
• Authentication not over SSL > 26194, 34850
• Is SSL Implement Properly > 15901, 20007, 26928, 35291, 42053,
42873 , 42880, 53491, 53360, 56043, 56284, 56984, 57041
• Secure Cookie Use > 49218, 84832
A10 –Unvalidated Redirects and Forwards
• CGI Generic Open Redirection > 47834
122

2007 OWASP Top Items
2007 A3–Malicious File Execution
• Command Execution (CGI abuses) > 39465, 44967
2007 A6 –Information Leakage and Improper Error Handling
• Directory Traversal (CGI abuses) > 39467, 46195, 46194
• File Inclusion (CGI abuses) > 39469, 42056, 42872
• Server Side Includes (CGI abuses) > 42423, 42054
• Error Messages > 40406, 48926, 48927
123

Other Nessus CGI checks
• Format String (CGI abuses) > 42055
• Cookie Manipulation (CGI abuses) > 44136
• Additional attacks (CGI abuses) > 44134, 47830, 47832, 47834
124

Resources
Nessus Website
http://www.nessus.org/products/nessus
My Email
rikjones@computer.org
125

Web_Application_Vul_Testing_with_Nessus_2012.02.01.pdf

More Related Content

Similar to Web_Application_Vul_Testing_with_Nessus_2012.02.01.pdf (20)

Recently uploaded (20)

Web_Application_Vul_Testing_with_Nessus_2012.02.01.pdf