Architecture
Each application is unique. Running scans and analyzing the results reveal techniques that help you run scans most efficiently and ensure coverage of all areas of the application. Depending on the size or complexity of the web application, the scan may finish allowing you to analyze the results for further optimization. Tenable highly recommends that you review the “scan notes” after a scan completes and the attachment to the sitemap plugin regularly.
Scan Objectives:
Web App Config Audit:
SSL_TLS Scan
Tenable Web App Overview Scan:
Quick Scan - Similar to the config audit scan
Scan
Specific scan - PCI, API, Log4Shell
Features
In Tenable Web App Scanning scans, you can configure credentials settings that allow Tenable Web App Scanning to perform an authenticated scan on a web application. Credentialed scans can perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results.Scans in Tenable Web App Scanning use managed credentials. Managed credentials allow you to store credential settings centrally in a credential manager. You can then add those credential settings to multiple scan configurations instead of configuring credential settings for each individual scan.
Tenable Web App Scanning scans support credentials in the following authentication types:
Credentials Category | Authentication Type | Configuration Method |
---|---|---|
HTTP Server Authentication | – | Use the Tenable Web App Scanning user interface to manually configure credentials settings in scans. |
Web Application Authentication | Login Form | |
Cookie Authentication | ||
API Key | Use the Tenable Web App Scanning user interface to manually configure credentials settings in scans. | |
Bearer Authentication |
Basic Authentication:
- username / password
- Basic and NTLM supported
- Use a web browser to sign in
- Copy cookie
- Name+Content
- chrome://settings/siteData
- Check limitations (https, NoScript, expiration, etc.)
- Manual
- Selenium scripting
- Tenable extension (chrome)
- Plugin ID 98033
- Login Page
- Credentials
- Field name; field value
- Pattern to verify success
- Page to verify active
- Pattern to verify active
- All patterns are regex
- Browser automation tools through scripting
- Created manually or with tools
- Supported in multiple browsers
- https://chrome.google.com/webstore
- Selenium IDE
- Additional details - http://seleniumhq.org
Licensing Tenable Web App Scanning
Tenable Web App Scanning Deployment Options
- Tenable Core + Web App Scanning - You can use the Tenable Core operating system to run an instance of Tenable Web App Scanning in your environment. After you deploy Tenable Core + Tenable Web App Scanning, you can monitor and manage your Tenable Web App Scanning processes through the secure Tenable Core platform.
- Tenable Web App Scanning in Tenable Nessus Expert - Tenable Web App Scanning in Tenable Nessus Expert allows you to scan and address web application vulnerabilities that traditional Tenable Nessus scanners, Tenable Nessus Agents, or Tenable Nessus Network Monitor cannot scan.
- Tenable Web App Scanning Docker Image - You can deploy Tenable Web App Scanning as a Docker image to run on a container. The base image is an Oracle Linux 8 instance of Tenable Web App Scanning. You can set up your Tenable Web App Scanning instance with environment variables to deploy the Docker image with configuration settings automatically. Once the Docker image is deployed, you can also update it, or collect scanner logs.
- Tenable Web App Scanning CI/CD Application Scan - You can deploy the Tenable Web App Scanning Docker image as a continuous integration and continuous delivery/continuous deployment (CI/CD) tool to run Tenable Web App Scanning scans on software before merging it. Scanning your CI/CD applications and services at any point in your application's lifecycle can greatly improve your security stance by finding vulnerabilities as early as possible.
Tenable Web App Scanning (WAS) Scan Workflow
In Nessus Web app scanning, you will only be able to launch one WAS scanning instance.
API Scan
Steps to launch a API scan:
- Enter the URL of your OpenAPI (Swagger) file:
- Select URL in the drop-down list
- Enter the URL of your OpenAPI (Swagger) file in the text box.
- Upload an OpenAPI (Swagger) file.
- (Optional) Enter any URLs that you want to exclude from your scan in the Regex for excluded URLs textbox.
Creating a script in Selenium
Use the script in a Credentialed Scan
Credentialed Scans without a Script using Policy Config
Create a new Web Application Authentication:
Manual Credentialed Web Application Scan:
MFA / 2FA and SSO
2FA is not supported in WAS. This is because one of the major reasons for using 2FA is to stop automated platforms authenticating. There are however, many ways to work-around this kind of issue. Here are just some examples:
- Contact the primary developer/team of the site. They have many more options available to them to support these scenarios.
- Contact the vendor for the 2FA. The 2FA vendor may have a method they recommend to support scanning.
- For the specific account created for WAS, create a "static token" that allows one specific account to use the same token/digits over and over again. We recommend changing this token periodically or based on your organization's policy.
- Create a "bypass" policy in whatever tools you're using for 2FA. For example, if the scan comes from IP range xx-yy, then bypass SMS auth. This can also be done as a combination of "headers authentication". (i.e. put something in the headers such as a long string (token) that is unique to that IP range. This prevents a second user on Tenable.io from scanning the same site as well.)
- Login to the web application, proceed with the authentication, and capture the session token used (cookie). Put the token into the scan properties (cookie authentication). It should work for that one scan. This option would require manual intervention each time a new scan is run.
Single sign-on is supported, depending on the web application configuration, through Selenium Authentication. However, if the application requires two-factor authentication where the second factor is something like an SMS pin, Web Application Scanning (WAS) cannot work around that. Cookie authentication would be required.
- 2FA can also come in the form of "something you know", such as a question. In this case, Selenium can be used but also has limitations. See Limitations of Selenium in Web Application Scanning for more information.
- Documentation on Cookie Authentication
Example of Scanning Wordpress site
OUTPUT
The scanner was unable to login to the web application using the credentials provided.
Login form with fields 'admin' could not be found in URL 'https://itprosec.com/wp-login.php?redirect_to=https%3A%2F%
2Fitprosec.com%2Fwp-admin%2F&reauth=1'; however, 2 forms have been identified on this page:
- Form #1: 6 fields identified: (name: log, id: user_login), (name: pwd, id: user_pass), (name: rememberme, id:
rememberme), (name: wp-submit, id: wp-submit), (name: redirect_to, id: ), (name: testcookie, id: )
- Form #2: 3 fields identified: (name: wp_lang, id: language-switcher-locales), (name: redirect_to, id: ), (name: , id:
)
Source code of the forms are available in the attachments.
Verify that you have specified the login form fields correctly. Specify either the 'name' attribute if set, otherwise
the 'id' attribute. Do not specify the input field if neither attribute is available.
If your application does not use the form element for authentication or the form cannot be processed correctly, please
try using the 'Selenium Authentication' method.
The scanner was unable to login to the web application using the credentials provided.
Login form with fields 'pwd', 'log' has been found on URL 'https://itprosec.com/wp-login.php?redirect_to=https%3A%2F%
2Fitprosec.com%2Fwp-admin%2F&reauth=1', but when submitting it the response did not contain the pattern or text
'Dashboard' expected if login is successful.
Check the response provided as an attachment and verify what text can be used to check if the login process was
successful.
If the response indicates that login was not successful or not attempted, check the reason provided and update the
login form options accordingly.
Following cookie(s) have been set for this session:
- cf_clearance=FyARnfTW.smSUrXduuW7WYx_HCmAhTFnGMz1sCLepxk-1724640104-1.2.1.1-8o.
91Wj1kJl4CMATTbNvRFHe65KYCzEDDkQF4TUOYKa_HpEl0bQ2BdhRc33V5i3OeFg8EpHeCfL9L1MIdJOKFqqjv87gksHrUCYdmt0qM4n3NDs_XAeXit907Bnb21YPXDcY0d2HiY0sF2T3inxcYmScKLu9WXX6yzQ6DkzNV8SrdPygq9YN2DKCzrdLHIzBGt2AA2OhhAfS56QD6JlDNRxlUkvBa9yV.
mpRjfgsF_mAedHPuo2A4kaHZznlQ9ExuhTeOU5BLhaH33t_i94QS4XhsLhegbp3KgveBt0gzrgKq17zurNoijPnJVbzB2xUjwrnNS35wEcCnzYKImrrG2tpF0no6PGXR6QBqgIpWYmSc2ZrnK.
Wf_FzXpn3n_jM
- wordpress_test_cookie=WP Cookie check
Another Web App Authentication Sample from Tenable doc:
References
- Web Application Scanning - How to configure login form authentication
- Get Started with Tenable Web App Scanning
No comments:
Post a Comment