7 Aug 2012

Configurer Nessus pour des balayages d’applications web


Lorsqu’on utilise Nessus pour balayer un site web, il est important de bien configurer les paramètres globaux pour aller chercher le maximum de vulnérabilités.
Le site de support de Tenable contient un bon article qui explique comment on fait. J’ai copié ici-bas les détails (en Anglais).

Sommaire:
  • On peut importer des cookies pour faciliter l’accès avec pré-authentification
  • Pour obtenir un fichier qui contient des cookies actifs, on peut utiliser Firefox et exporter ses cookies via un ajout tel que Export Cookie
  • Il est aussi très important d’ajuster quelques paramètres dans Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, ajouter des points de départs de balayage dans Web Mirroring, (+ utiliser des plugins qui utilisent ces paramètres)

Problem:

What needs to be configured to ensure a thorough web application audit is performed by Nessus?

Solution:

Tenable encourages users to run a full vulnerability scan with all plugins enabled. If you want to streamline a policy to only focus on a web application, the following steps outline the process for creating a new policy designed to run a web application audit:
  1. Create a new policy. (Policies -> Add)
  2. Under the “General” tab options, set up a scan as you normally would. Ensure at least one TCP-based port scanner is selected and provide a list of ports with web servers running on the host(s). Note: Only use this method if you are absolutely sure you know of all web servers running on the targets. Otherwise, select a port range so that Nessus can detect web servers and applications to audit.
  3. Under the “Plugins” tab, ensure the following plugin families are enabled:
    1. CGI abuses – This plugin family checks for a wide range of commercial and open source applications that have documented vulnerabilities. These checks include software detection, information disclosure, SQL injection, file inclusion, overflows and more.
    2. CGI abuses : XSS – This plugin family checks for a wide range of commercial and open source applications that have documented Cross-site Scripting (XSS) vulnerabilities.
    3. Database – Many web applications will utilize a database for storing large amounts of data. SQL injection attacks are designed to target database servers via web applications.
    4. FTP – Some sites use FTP for administrators to upload web application content or update the application.
    5. General – This plugin family contains plugins that identify operating systems via HTTP, perform a wide variety of SSL checks and more.
    6. Service detection – Contains checks for a wide variety of services and technologies, many of which support web servers and applications.
    7. Web servers – This plugin family contains over 500 checks for vulnerabilities in popular web servers including Apache, Tomcat, IIS and WebSphere. In addition, this plugin family includes checks for frameworks such as PHP, common web server issues associated with the HTTP(S) protocol, OpenSSL checks and more.
  4. Under the “Preferences” tab, there are several drop-down menus with additional configuration options that must be specified:
    1. Under “Global variable settings”, select “Enable CGI scanning”. Optionally, the “Thorough tests (slow)” can be enabled and “Report verbosity” can be set to “Verbose” to provide additional vulnerability checks and better reporting.
    2. The “HTTP cookies import” drop-down can be used to import cookies as a means for authenticating to the application. This is not explicitly required, but some means of authentication should be provided.
    3. The “HTTP login page” drop-down provides over a dozen options that direct Nessus to a custom web application. This includes the URL to the login page (e.g., /application/login.php), login form (i.e., if the login data is sent to a different location), relevant form fields for authentication (the “user” and “pass” variables should be changed to reflect your application, %USER% and %PASS% are pulled from the “Login configurations” drop-down menu) and options that control how Nessus behaves in relation to the authentication process.
    4. The “Login configurations” can be used if the application is protected using HTTP Basic Authentication, Digest or NTLM.
    5. The “Web Application Tests Settings” drop-down contains several important options for enabling testing of custom applications. The “Enable web applications tests” must be enabled, or Nessus will only scan for known vulnerabilities based on prior public disclosures. This page also contains options for limiting the time to test an application, use of POST requests, the type of argument values to use (refer to the Nessus User Guide for additional information on this option) and more.
    6. The “Web mirroring” drop-down directs Nessus’ behavior for mirroring the application, a step performed before tests are calculated and run. The total number of pages or depth of mirroring can be controlled, along with the starting page and a delimited list of regular expressions that are used to match web pages that Nessus will exclude (e.g., logout|emailus.php).
For more information about the settings you can watch our instructional videos at:
http://www.youtube.com/watch?v=fUCgvZnTILo
http://www.youtube.com/watch?v=B5qvVT9iho0
Additionally, you can find detailed information on the preferences in the Nessus User Guide.
Other Refs:
  • From the Discussions Forum, another related post regarding the use of cookie importing: https://discussions.nessus.org/thread/4395
  • The missing link in the Nessus docs is that to get the cookie file, you need to use Firefox and export using an add-on such as: https://addons.mozilla.org/en-US/firefox/addon/export-cookies/?src=api
  • Also very important is to tweak a few settings in Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, Web Mirroring starting points (+ choose some plugins that use these)
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)