Web Application Scanning in Tenable Nessus

Web application scanning (WAS) is available in Tenable Nessus Expert. Web application scanning in Tenable Nessus allows you to scan and address web application vulnerabilities that traditional Tenable Nessus scanners, Tenable Nessus Agents, or Tenable Nessus Network Monitor cannot scan.

Note: The following platforms do not support web application scanning in Tenable Nessus:

  • Any host system that does not support Docker

  • Any host that uses an ARM-based processor (for example, AArch64 Linux distributions and Apple Silicon systems)

For more information about Docker support on virtualized hosts, see the Docker documentation.

Note: Tenable Nessus Expert only allows one concurrent web application scan at a time.

Note: You cannot update Tenable Nessus Expert web application scanning plugins when Tenable Nessus is offline.

Licensing

If you license web application scanning in Tenable Nessus Expert, you can scan up to five different web application URLs per 90 days.

Tenable Nessus uses only the hostname and port (FQDN:port) to track against WAS licenses instead of the full URL. For example, all of the following targets count for a single license FQDN:

  • https://example.com/welcome

  • https://example.com/welcome/get-started

  • https://example.com/welcome/get-started/create-new-user

If you do not perform a web application scan on a target URL for 90 days, Tenable Nessus removes the URL from your license and it no longer counts towards your URL limit. You cannot delete web application scan data to remove the URL from your license.

You can purchase additional URLs by contacting your Tenable representative.

Prerequisites

Before you enable web application scanning in Tenable Nessus Expert, you must install Docker version 20.0.0 or later on your Tenable Nessus host.

Enable web application scanning in Tenable Nessus

  1. Under Resources in the left-side navigation pane, click Web App Scanning.

    The Web Application Scanning (WAS) page appears. The WAS requirements and information section shows whether Docker is installed on your Tenable Nessus host, the Docker version, whether web application scanning is downloaded on your Tenable Nessus host, and the current web application scanning plugin set.

  2. Select the Enable Web Application Scanning checkbox.

  3. Click Save.

    Tenable Nessus starts to download web application scanning.

    Once the web application scanning download completes, the WAS requirements and information section indicates that web application scanning is downloaded (as shown in the following image). You can now view Web App scan templates in the Tenable Nessus scanning user interface and perform web application scans.

    Tip: With web application scanning installed, you can click next to the WAS Image Last Checked field to update Tenable Nessus with the latest Tenable Web App Scanning version.

    For more information on how to install Tenable Nessus Expert and web application scanning, see the following video: Web App Scanning in Nessus Expert 10.6.

What to do next: