Scan web applications |
Disabled |
By default, Tenable PCI ASV does not scan web applications. To edit the following settings, enable this setting. |
Use a custom User-Agent |
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
Specifies which type of web browser Tenable PCI ASV impersonates while scanning.
|
Web Crawler |
Start crawling from |
/
|
The URL of the first page that is tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base).
|
Excluded pages (regex) |
/server_privileges\.php <> log out |
Specifies portions of the web site to exclude from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this field to: (^/manual) <> (\.pl(\?.*)?$).
Tenable PCI ASV supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).
|
Maximum pages to crawl |
1000
|
The maximum number of pages to crawl.
|
Maximum depth to crawl |
6
|
Limit the number of links Tenable PCI ASV follows for each start page.
|
Follow dynamically generated pages |
Disabled
|
If selected, Tenable PCI ASV follows dynamic links and may exceed the parameters set above.
|
Application Test Settings |
Enable generic web application tests |
Disabled |
Enables the following settings. |
Abort web application tests if HTTP login fails |
Disabled |
If Tenable PCI ASV cannot log in to the target via HTTP, then do not run any web application tests. |
Try all HTTP methods |
Disabled |
This option instructs Tenable PCI ASV to also use POST requests for enhanced web form testing. By default, the web application tests only use GET requests, unless you enable this option. Generally, more complex applications use the POST method when a user submits data to the application. When enabled, Tenable PCI ASV tests each script or variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required. |
Attempt HTTP Parameter Pollution |
Disabled |
When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while also supplying the same variable with valid content. For example, a normal SQL injecton test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2. |
Test embedded web servers |
Disabled |
Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option. |
Test more than one parameter at a time per form |
Disabled |
This setting manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Tenable PCI ASV would attempt
/test.php?arg1=XSS&b=1&c=1 , where b and c allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
This setting has four options:
- Test random pairs of parameters: This form of testing randomly checks a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
- Test all pairs of parameters (slow): This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it tests an attack string, variations for a single variable and then use the first value for all other variables. For example, Tenable PCI ASV would attempt /test.php?a=XSS&b=1&c=1&d=1 and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Tenable PCI ASV would never test for /test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
- Test random combinations of three or more parameters (slower): This form of testing randomly checks a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Increasing the amount of combinations by three or more increases the web application test time.
- Test all combinations of parameters (slowest): This method of testing checks all possible combinations of attack strings with valid input to variables. Where all pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.
|
Do not stop after first flaw is found per web page
|
Stop after one flaw is found per web server (fastest)
|
This setting determines when a new flaw is targeted. This applies at the script level. Finding an XSS flaw does not disable searching for SQL injection or header injection, but unless otherwise specified, there is at most one report for each type on a given port. Note that several flaws of the same type (for example, XSS or SQLi) may be reported if they were caught by the same attack.
If this option is disabled, as soon as a flaw is found on a web page, the scan moves on to the next web page.
If you enable this option, select one of the following options:
- Stop after one flaw is found per web server (fastest) — (Default) As soon as a flaw is found on a web server by a script, Tenable PCI ASV stops and switches to another web server on a different port.
- Stop after one flaw is found per parameter (slow) — As soon as one type of flaw is found in a parameter of a CGI (for example, XSS), Tenable PCI ASV switches to the next parameter of the same CGI, the next known CGI, or to the next port or server.
- Look for all flaws (slowest) — Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.
|
URL for Remote File Inclusion |
http://rfi.nessus.org/rfi.txt |
During Remote File Inclusion (RFI) testing, this setting specifies a file on a remote host to use for tests. By default, Tenable PCI ASV uses a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, you can use an internally hosted file for more accurate RFI testing. |
Maximum run time (min) |
5 |
This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given website. Scanning the local network for web sites with small applications typically completes in under an hour, however web sites with large applications may require a higher value. |