The previous post illustrated how to use Nessus to scan a network for vulnerabilities. Nessus can also be used to find web application vulnerabilities. In this post I will demonstrate how to set up a vulnerability scan for web applications.
As mentioned before, you should never scan an application that you don’t own or aren’t authorized to scan. Just like my virtual network, I created a lab for testing Web applications. The tutorial found here http://www.securityaegis.com/pentest-lab-web-application-edition/ shows you how. This page has a list of vulnerable web applications that can be used for learning purposes http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/. Also, check out the Maven Security Dojo http://www.mavensecurity.com/web_security_dojo/. The security dojo contains a virtual Ubuntu machine with various web application security testing tools and vulnerable web applications. There are plenty of test targets, so there isn’t any reason to use live web applications.
I am going to use “The Damn Vulnerable Web App” as my target. You can download it here: http://www.dvwa.co.uk/. Also, this page has a helpful installation video: http://www.securitytube.net/video/301.
After starting Nessus, I have to choose a policy and make any necessary changes. Nessus contains a web application policy, so that is the one I will use.
The only change I made was to the port scan options. This scan will only run against ports 80,443 and 8080 as these are the most common ports for web applications.
Next the correct plugins have to be selected. The ones that are used for web application testing are shown below. Notice that there is also a plug-in to test the web server for vulnerabilities. This allows for testing of not only the application itself, but also the server that it is running on.
Next, select the preferences tab, as there are a few changes that need to be made here. Go to the “Global Variable Settings” plug-in by selecting it from the drop down at the top of the page. There are three options that must be set. The “Enable CGI scanning” check box causes Nessus to search the web server for known CGI applications and associated vulnerabilities. “Enable Experimental Scripts” allows Nessus to test for vulnerabilities that use new techniques. The “Thorough tests (slow)” expands your testing when it comes to web applications and allows the plugin to “try harder” on various tests.
Next, select the “Http Login Page” plugin. This page is used to enter login information. First, enter the location of both the login page and the login form. Use the “Login Form Fields” to enter a user name and password. After making these changes, press the submit button to save them. The scan preferences are configured, and the scan is ready to run.
To run the scan, choose the scan option and select “Add” to add a scan.
Next you will name your scan, choose a policy and enter a target:
Name – I used DVWA, but you can use any name you wish.
Type – The options are “Run Now” , “Scheduled” or “Template”. The first two are self-explanatory, and one can use template, so that the same scan can be used again.
Policy – In this case, I am going to use the “Damn Vulnerabel Web App ” policy that I just created.
Scan Targets – Enter the login page of the application you are scanning.
Once you have entered all the necessary information, click “launch scan” to start the scan.
When the scan is complete, view the report and see which vulnerabilities that were found.
In conclusion, I have learned how to create a basic network and Web application scan. I hope my demonstration enabled you to learn as well. There is still much to learn about Nessus, so there will be some more Nessus posts in the future!