Plugin Highlight - Web Application Tests : Load Estimation (ID 33817)
Web application testing with automated scanners can be tricky business. While testing various target web servers, I found that some targets seemed to finish in a relatively short period, while others took days - or never seemed to complete at all. This occurred despite the fact that I often used identical test settings and relatively conservative scan settings for the different targets.
While troubleshooting this apparent disparity, I came across
a useful plugin that helped me see a little of what was going on in the
background. The plugin is Nessus
Plugin ID 33817 “Web Application Tests : Load Estimation”.
Here is the plugin synopsis/description:
Synopsis
Load estimation for web application tests.
Description
This script computes the maximum number of
requests that would be done by the generic web tests, depending on
miscellaneous options. It does not perform any test by itself.
The results can be used to estimate the
duration of these tests, or the complexity of additional manual tests.Note that the script does not try to compute
this duration based on external factors such as the network and web
servers loads.
A useful trick that I found was running two scans for each web application test. In the first scan, I would enable only plugin 33817, along with some related settings described in the table below, so I could get a feel for the best possible scan settings along with the approximate time required for the actual scan. After running the estimation scan, I could then run the full scan with reasonable expectation of the amount of time it would take.
Here’s sample output from a typical “Load Estimation” scan of a web server running Mutillidae:
Plugin Output
Here are the estimated number of requests in
miscellaneous modes for the GET method only:
[Single / Some Pairs / All Pairs / Some
Combinations / All Combinations]
arbitrary command execution :
S=5350 SP=487550 AP=16772900 SC=>2G AC=>2G
format string : S=428
SP=39004 AP=1341832 SC=>2G AC=>2G
header injection :
S=428 SP=39004 AP=1341832 SC=>2G AC=>2G
SSI injection : S=642
SP=58506 AP=2012748 SC=>2G AC=>2G
unseen parameters :
S=7490 SP=682570 AP=23482060 SC=>2G AC=>2G
RS : S=1712
SP=156016 AP=5367328 SC=>2G AC=>2G
blind SQL injection :
S=2568 SP=234024 AP=8050992 SC=>2G AC=>2G
SQL injection : S=5778
SP=526554 AP=18114732 SC=>2G AC=>2G
directory traversal (extended test): S=10272
SP=936096 AP=32203968 SC=>2G AC=>2G
directory traversal :
S=6206 SP=565558 AP=19456564 SC=>2G AC=>2G
directory traversal (write access): S=428
SP=39004 AP=1341832 SC=>2G AC=>2G
local file inclusion :
S=856 SP=78008 AP=2683664 SC=>2G AC=>2G
web code injection :
S=214 SP=19502 AP=670916 SC=>2G AC=>2G
DOM XSS
: S=214
SP=19502 AP=670916 SC=>2G AC=>2G
persistent XSS : S=856
SP=78008 AP=2683664 SC=>2G AC=>2G
cross-site scripting (quick test): S=4280
SP=390040 AP=13418320 SC=>2G AC=>2G
XML injection : S=214 SP=19502 AP=670916 SC=>2G AC=>2G
Here are the estimated number of requests in
miscellaneous modes for both methods (GET & POST):
[Single / Some Pairs / All Pairs / Some Combinations / All Combinations]
arbitrary command execution :
S=245000 SP=27754600 AP=966198400
SC=>2G AC=>2G
format string : S=19600
SP=2220368 AP=77295872 SC=>2G AC=>2G
header injection :
S=19600 SP=2220368 AP=77295872 SC=>2G AC=>2G
SSI injection : S=29400
SP=3330552 AP=115943808 SC=>2G AC=>2G
unseen parameters :
S=343000 SP=38856440 AP=1352677760 SC=>2G AC=>2G
RS :
S=78400 SP=8881472 AP=309183488 SC=>2G AC=>2G
blind SQL injection :
S=117600 SP=13322208 AP=463775232
SC=>2G AC=>2G
SQL injection : S=264600
SP=29974968 AP=1043494272 SC=>2G AC=>2G
directory traversal (extended test): S=470400
SP=53288832 AP=1855100928 SC=>2G AC=>2G
directory traversal :
S=284200 SP=32195336 AP=1120790144 SC=>2G AC=>2G
directory traversal (write access): S=19600
SP=2220368 AP=77295872 SC=>2G AC=>2G
local file inclusion :
S=39200 SP=4440736 AP=154591744 SC=>2G AC=>2G
web code injection :
S=9800 SP=1110184 AP=38647936
SC=>2G AC=>2G
DOM XSS : S=9800
SP=1110184 AP=38647936 SC=>2G AC=>2G
persistent XSS : S=39200
SP=4440736 AP=154591744 SC=>2G AC=>2G
cross-site scripting (quick test): S=196000
SP=22203680 AP=772958720 SC=>2G AC=>2G
XML injection : S=9800
SP=1110184 AP=38647936 SC=>2G AC=>2G
Your mode : single, GET only, thorough tests.
As noted in the output, this plugin doesn’t actually perform any vulnerability checks. Instead, it takes the “Web mirroring (10662)” plugin results in conjunction with other web application scan settings (such as thorough tests and experimental scripts) and performs a calculation of the maximum number of checks (GET or GET/POST requests) that would be required if the scan was actually going to be performed.
In the output above, S (Single) and SP (Some Pairs) generally had a reasonable number of checks, while the SC (Some Combinations) and AC (All Combinations) each ran approximately two billion checks per category. AP (All Pairs) was somewhere in the middle, ranging from 670 thousand to almost 2 billion checks per category.
Based on this output, I would likely choose “Single” or “Some Pairs” if I needed a relatively quick web application scan or “All Pairs” if I had more time to let the scan complete (about 24 hours in this case). Running scans in either “Some Combinations” or “All Combinations” mode is simply not practical based on the number of checks per category. Further tweaking of the web mirroring or web application test settings specified in the table below could reduce the number of checks. The table below lists both required and optional settings for a “Load Estimation” scan.
|
Web
App Load Estimation Settings |
Description |
|
Required Settings – must
be set for load estimation output to work properly |
|
|
Web
Application Test Settings (Plugin 3941) |
Plugins ->
Settings |
|
Enable
web application tests checkbox |
Preferences
-> Web Application Tests Settings |
|
Web
Application Tests: Load Estimation (Plugin 33817) |
Plugins ->
CGI abuses category |
|
Web
mirroring (Plugin 10662) |
Plugins ->
Web Servers. Configure the desired web mirroring settings in the Preferences ->
Web mirroring section. For more guidance, see this blog or the
Nessus documentation available on the Tenable Support Portal. |
|
Test SSL
based services |
Preferences
-> Service Detection. Set this to “All” where your web application listens
over SSL on non-standard ports. |
|
Optional Settings – not
required, but could affect the load estimation output |
|
|
Thorough
Tests |
Preferences
-> Global variable settings |
|
Enable
Experimental Scripts |
Preferences
-> Global variable settings |
|
Test
Embedded Web Servers |
Preferences
-> Web Application Tests Settings |
In conclusion, it makes sense to analyze and optimize your Nessus settings before kicking off any web application scan. Knowing what a scan is going to do before the scan actually occurs is the key to this process. The “Load Estimation” plugin will help you on your path to web application testing “Zen”.
Related Articles
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.