Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Nessus - Basic Web Application Scanning

Nessus has long been known as a network vulnerability scanner but it contains quite a bit of functionality that can be used to identify vulnerabilities in web applications as well. Nessus does provide useful information that can be used as the foundation for web application assessments.

The first thing you need to do is to create a web application scanning policy for Nessus.

Go to the General tab.
Basic  -  Give a name for the policy for e.g. Web Application Scanning.
Scan - Enable the Safe Checks & Silent Dependencies
Network Congestion - Leave all unchecked
Port Scanners - Leave all unchecked
Port Scan Options - Put the common port for web application 80, 443, 8080, 8000, 8443
Performance - Leave as default

Next, go to Plugins tab and enabled the following plugins:
  • CGI abuses
  • CGI abuses XSS
  • General
  • Setting
  • Databases
  • Web servers

Lastly, go to Preferences tab and choose from the dropdown box "Global Variable Settings". Enabled the CGI scanning and Through tests.

Click submit and your web application policy is ready for scanning with Nessus.

You can download Nessus here:


itauditsecurity said...

Nice tut. Very helpful!

Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!