Task: Web Applications
The Greenbone Security Manager supports scanning of web applications in two ways:
- With our own Network Vulnerability Tests (NVTs, over 1500 are of some relevance for web applications)
- With the integrated web applications scanner w3af
Execute simple scan of web applications
This example executes a broadly designed check of web applications. An experienced user will continue from this base with more in-depth checks, adapting the scan parameters.
Import the scan configuration Web-Application Scan.
This configuration covers all Network Vulnerability Tests (NVTs) that are in any way relevant for checking web applications. The tests range from verifying webserver versions, to finding known vulnerabilities in web applications, to basic generic analysis (fuzzing).
This comprises the advantage that no time-consuming selection of NVTs is necessary. On the other hand, this generic scan will take longer and presumably collect more information than is actually needed.
So, this is a configuration to learn about a web application in order to allow a further in-depth analysis of identified potential issues.
Define the targets.
Now you can create the actual task. This means to combine the imported scan configuration with the newly created targets.
The search is started by clicking on of the respective task. It can take a while for the scan to complete. To update the view with the current progress, click on .
As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.
Fine-tuning web application scan
The scan configuration imported in the above example can also be used as a base for specialised scans.
From it you can compile an individual subselection of NVTs. Another option is to refine the single scan parameters of the configuration.
Adjustment of scanner preferences
On the overview of scan configurations click on the icon to adjust the scan parameters in section "Edit Scanner Preferences" according to your needs.
The adjustments applied here are used by general NVTs but do not affect w3af. This integrated tool uses an independent configuration.
cgi-path: If known, you can add additional paths to be considered during the scan.
The list of paths uses colon as separator.
port_range: In case the ports used by the web application are known, you can reduce the number of non-relevant results considerably (e.g. scan only "80, 8080, 8443").
This limitation to explicit ports does make sense because many standard services are based on HTTP. They do use arbitrary ports and are (correctly) identified as some sort of web application and thus would be scanned in detail.
Pressing the "Save Config" button applies the changes of this section.
Adjustment of NVT preferences
On the overview of scan configurations click on the icon and scroll down to the section "Edit Scanner Preferences". There it is possible to directly jump to the NVT editor using the icon in order to adjust the NVT's parameters.
Global variable settings (Enable CGI scanning): Enables the test of CGIs.
This option is enabled by default. If you don't want to execute such tests you should change this from "yes" to "no".
Global variable settings (HTTP User-Agent): Any application that accesses a web server sends an identification of itself. And this is also true for the scan. The identification that the scan engine should send can be specified here.
In some cases web applications will behave differently depending on the whether, for example, Mozilla Browser or Internet Explorer acts as a client. Thus it can make sense to modify the identifier to test different response types of the web server.
Another aspect is the opportunity to track the scan activity in the log files of the web server if a special identification is applied.
HTTP login page (Login form, Login form fields, Login page): These parameters help the scan engine to log into web applications first and then execute the actual tests. Sometimes this is required, else the tests would fail due to missing authorization.
Login form specifies the URL that represents the action of logging into the web applications. If you open the web application in your browser it is often possible to see this URL directly.
Login page describes the URL where this action for logging in can be executed.
Finally, Login form fields allows to send URL-based authentication using the place holders "%USER%" and "%PASS%" for user account and password. You need to check the actual format for the web application to be scanned. The actual credentials that will be applied are specified via NVT "Login configurations" (see below).
Login configurations (HTTP account, HTTP password): These two parameters specify the credentials to be applied on a login page of a web application (see above).
You should only apply special credentials for testing purposes as it can happen that the password is transferred in cleartext.
In order to activate the change of the password you need to explicitly check "Replace old value". Else, the password is ignored when clicking "Save Config".
Nmap (NASL wrapper) (Service scan): Changing this option to "yes" can increase the detection rate considerably and lead to a more comprehensive subsequent vulnerability scan.
This only makes sense when it is unclear at which host and which port the web applications are listening. In some cases it helps to identify web services that are hard to identify as such.
Web mirroring (Number of pages to mirror, Start page): For the scan of a web application a mirror of web pages is created. In other words, the current state of the pages is copied to the scan engine. During a scan the scan engine walks down the link structure.
These two preferences describe how many pages should be mirrored and where to start with walking down the link structure. The defaults are usually sufficient for an initial scan. However, depending on the web application it might be necessary to adjust them accordingly.
HTTP NIDS evasion: In case the scan engine should try to circumvent/trick an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS) or a Web Application Firewall (WAF) this NVT offers a number of adjustments.
For the calibration of these parameters good knowledge about the actual IDS/IPS/WAF technologies is very helpful.
w3af (NASL wrapper) (Profile): The integrated web application scanner "w3af" offers different scan profiles.
The pre-defined profile "full_audit" will execute a comprehensive scan. For other profiles and adjustments, please refer to the documentation of w3af.