Using Nessus for OWASP and PCI Web Audits
Tenable has released a technical paper named "Demonstrating Compliance with Nessus Web Application Scans". It details how OWASP Top 10 and Payment Card Industry web audits can be performed with Nessus scanners. This is a technical paper and specific attention is given as to which Nessus plugins can be used to perform various OWASP types of testing. For example, below is an excerpt from the paper's chapter on OWASP A5 - Cross Site Request Forgery:
2010 OWASP Top 10 – A5 Cross-Site Request Forgery (CSRF)
This web application weakness leverages image tags, XSS and other techniques to trick anauthenticated users to a sensitive site into submitting a request that does something potentially damaging with the user's credentials. For example, consider a web application that automatically posts a message to Twitter but requires a user to authenticate to the application. If the URL method for posting the message was known ahead of time, an attacker could craft a URL with their desired message and send it to the targeted user via XSS or embedded in an image tag. If the user clicks on the URL, their authenticated state with the application would process the URL and send the attacker's message to Twitter. There have been many examples of using CSRF to reset passwords, purchase products, generate Google AdWord hits and more.
There are multiple Nessus audits that are relevant to help ensure CSRF vulnerabilities are not exploited on your web application:
- Testing for XSS vulnerabilities with Nessus can ensure that these may not be used to perform CSRF attacks. Although not necessary to perform a CSRF attack, XSS vulnerabilities allow token-based CSRF defenses to be defeated.
- Nessus plugin #47832 performs “On Site Request Forgery Vulnerability” testing. This is a narrower form of CSRF attack testing.
- Five specific tests detect CSRF in known web applications.
The paper can be downloaded from the following link.
Tenable offers a variety of technologies to monitor web application logs, perform security assessments of web servers, passively identify web servers based on network traffic and to audit the configuration of them. A webinar recording which details Tenable's approach to continuous web application security monitoring is also available to watch at your convenience.
For more information on our solutions, please read our web application security synopsis, contact our sales staff for a demo or watch any of our enterprise demonstration videos.
Related Articles
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: Frequently Asked Questions About Common UNIX Printing System (CUPS) Vulnerabilities
September 26, 2024Frequently asked questions about multiple vulnerabilities in the Common UNIX Printing System (CUPS) that were disclosed as zero-days on September 26.
Establishing a Cloud Security Program: Best Practices and Lessons Learned
September 26, 2024As we’ve developed Tenable’s cloud security program, we in the Infosec team have asked many questions and faced interesting challenges. Along the way, we’ve learned valuable lessons and incorporated key best practices. In this blog, we’ll discuss how we’ve approached implementing our cloud security program using Tenable Cloud Security, and share recommendations that you may find helpful.
