Mailing List Archive: Extending the generic web application vulnerability checks

Extending the generic web application vulnerability checks

Mar 9, 2009, 7:47 AM

Post #1 of 3 (6443 views)

Hello all,

I am currently investigating the possibilities of Nessus with regards to testing web applications on generic vulnerabilities. My goal is to extend Nessus with additional generic web application vulnerability checks.

Currently I have only found two plug-ins (torturecgis.nasl and sql_injection.nasl) which check a web application for XSS, SQL injection, OS commanding and Path traversal.

As the torturecgis.nasl script already states, it's far from complete. The sql_injection.nasl script is more mature.

I have the following questions:
1. Are there more generic web application vulnerability checks that I missed?
2. What is the development roadmap for these kind of checks?
3. Are new generic plug-ins currently being in development?
4. Are there plans to extend torturecgis.nasl?
5. Why isn't there a good set of plug-ins for these kind of checks?

In comparison with other (generic) web application vulnerability scanners, there is a lot of improvement to achieve.

With regards,

Piet Haanstra

_________________________________________________________________
Drag n’ drop—Get easy photo sharing with Windows Live™ Photos.

http://www.microsoft.com/windows/windowslive/products/photos.aspx

Re: Extending the generic web application vulnerability checks [ In reply to ]

mikhail at nessus

Mar 10, 2009, 9:50 AM

Post #2 of 3 (6125 views)

Permalink

On Mon, 9 Mar 2009 14:47:59 +0000
Piet Haanstra <10109@live.com> wrote:

> 1. Are there more generic web application vulnerability checks that
> I missed?

No. There are other generic tests, but they target the HTTP server, not
the application per se.

> 4. Are there plans to extend torturecgis.nasl?

I have some experimental modification for torturecgis.nasl (not yet in
the CVS)
The testing time increases dramatically in some cases.

> 5. Why isn't there a good set of plug-ins for these kind of checks?

Web application testing is awfully slow in most cases.

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: Extending the generic web application vulnerability checks [ In reply to ]

bmartin at tenablesecurity

Mar 12, 2009, 2:41 AM

Post #3 of 3 (6117 views)

Permalink

Hi Piet,

> I have the following questions:

> 2. What is the development roadmap for these kind of checks?

There is no firm roadmap for more application checks. However, it is something
that we have been having extensive discussions on internally. While I cannot
promise any specifics, it is certainly our goal to move Nessus a bit farther
into the application testing realm.

> 3. Are new generic plug-ins currently being in development?

There is currently some internal development of such plugins.

> 4. Are there plans to extend torturecgis.nasl?

Yes, it actively being worked on.

> 5. Why isn't there a good set of plug-ins for these kind of checks?

They are considerably more difficult to write than plugins that check for a
single 'static' vulnerability.

> In comparison with other (generic) web application vulnerability
> scanners, there is a lot of improvement to achieve.

In comparison to Nessus, web application vulnerability scanners have a lot of
improvement to achieve when detecting vulnerabilities in Sendmail and FTP. =)
Please remember, Nessus has a 10 year history of being a network vulnerability
scanner, and that we are looking to evolve it even more, especially toward web
application testing.

Brian
Tenable Network Security
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers