How to login to a webpage in Nessus and perform a SecTest?

Question

I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:

These are login fields. ;)

username=
&password=
&lt=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login

Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?

Thanks in advance. ;)

Answer 1

I had similar problems; can't speak for you, but sounds like you have about as much website knowledge as I do (which ain't much!) - no offense intended. In my case I'm not sure I'm understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I'm far better at the network and infrastructure penetration testing :D

I did a search in a search engine for "Nessus HTTP cookie import", and found that Tenable discussed this on their podcast, episode 14:

http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast---episode-14.html

If you look at the "Stories" note on the above web page, there's a hint to use the "Export Cookies" Firefox add-on. The add-on has some guidance, but essentially:

• Install the add-on to your browser (I'm using the OWASP Mantra browser; I urge you to look at it)
• Restart your browser
• Login into the subject website and authenticate
• From the Tools menu, go for "Export Cookies"
• Save to file, and point your Nessus scan policy at that file

NOTE: I'm still trying this now, but thought I'd post the possibility anyway in case I forget - I will update this thread with a confirm or deny shortly.

Best of luck!

UPDATE: Well, it didn't work for me on first attempt. I'm confirming I don't have any conflicting or superseding settings in the policy, but if that doesn't work it's on to Tenable Support, I fear...

Answer 2

According to the documentation, besides importing cookies, the other way to do it (currently at 7.0) is:

1. Create new scan
2. Web Application Tests

3. Credentials: which are filled out like these (taken from documentation):

   • Username: Login user’s name.
   • Password: Password of the user specified.
   • Login page: The absolute path to the login page of the application, e.g., /login.html

   • Login submission page: The action parameter for the form method. For example, the login form for: <form method="POST" name="auth_form" action="/login.php"> would be: /login.php

   • Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).

   • Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.

   • Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful

However, looking at the reports, in my case, it couldn't authenticate for some reason