Tenable Web Application Cerdential Scans
Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web applications. Tenable Web App Scanning's accurate vulnerability coverage minimizes false positives and false negatives, ensuring that security teams understand the true security risks in their web applications. The product offers safe external scanning that ensures production web applications are not disrupted or delayed, including those built using HTML5 and AJAX frameworks.
For more information on Tenable Web App Scanning architecture and scanning, refer to Get Started
with Tenable Web App Scanning.
2FA is not supported in Web Application Scanning (WAS). Most 2FA issues can be solved with Cookie Authentication but will require a replacement of the cookie before every scan. There are other possible options depending on the configuration and setup of the web application.
SSO - Single sign-on is supported, depending on the setup. This can be done via Selenium Authentication. However, there are some limitations.
Architecture
Each application is unique. Running scans and analyzing the results reveal techniques that help you run scans most efficiently and ensure coverage of all areas of the application. Depending on the size or complexity of the web application, the scan may finish allowing you to analyze the results for further optimization. Tenable highly recommends that you review the “scan notes” after a scan completes and the attachment to the sitemap plugin regularly.
Features
In Tenable Web App Scanning scans, you can configure credentials settings that allow Tenable Web App Scanning to perform an authenticated scan on a web application. Credentialed scans can perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results.
Scans in Tenable Web App Scanning use managed credentials. Managed credentials allow you to store credential settings centrally in a credential manager. You can then add those credential settings to multiple scan configurations instead of configuring credential settings for each individual scan.
Tenable Web App Scanning scans support credentials in the following authentication types:
| Credentials Category |
Authentication Type |
Configuration Method |
|---|---|---|
| HTTP Server Authentication | – | Use the Tenable Web App Scanning user interface to manually configure credentials settings in scans. |
|
Web Application Authentication |
Login Form | |
| Cookie Authentication | ||
| API Key | Use the Tenable Web App Scanning user interface to manually configure credentials settings in scans. | |
| Bearer Authentication |
Basic Authentication:
- username / password
- Basic and NTLM supported
Cookie-based Authentication
- Use a web browser to sign in
- Copy cookie
- Name+Content
- chrome://settings/siteData
- Check limitations (https, NoScript, expiration, etc.)
Form-based Authentication
- Manual
- Selenium scripting
- Tenable extension (chrome)
- Plugin ID 98033
Manual Authentication
- Login Page
- Credentials
- Field name; field value
- Pattern to verify success
- Page to verify active
- Pattern to verify active
- All patterns are regex
Forms Authentication Using Selenium Scripting
- Browser automation tools through scripting
- Created manually or with tools
- Supported in multiple browsers
Selenium IDE Chrome Extension
- https://chrome.google.com/webstore
- Selenium IDE
- Additional details - http://seleniumhq.org
Web Application Authentication document:
https://docs.tenable.com/vulnerability-management/Content/WAS/Scans/WebAppAuthentication.htm
Licensing Tenable Web App Scanning
Tenable Web App Scanning has two versions: a cloud version and an on-premises version. For the
cloud version, Tenable offers a subscription model. For the on-premises version, Tenable offers a
subscription model as well as perpetual and maintenance licenses.
To use Tenable Web App Scanning, you purchase licenses based on your organizational needs and
environmental details. Tenable Web App Scanning then assigns those licenses to assets in your
environment: unique fully qualified domain names (FQDNs). If you only scan IP addresses, the
system licenses those instead.
When your environment expands, so does your asset count, so you purchase more licenses to
account for the change. Tenable licenses use progressive pricing, so the more you purchase, the
lower the per-unit price. For prices, contact your Tenable representative.
Tenable Web App Scanning determines your licensed asset count by scanning resources in your
environment to identify FQDNs. FQDNs that have been scanned for vulnerabilities in the past 90
days count towards your license.
Tenable Web App Scanning reclaims licenses from deleted assets within 24 hours. In addition, it reclaims licenses from assets which are not scanned for 90 days or a period you specify.
To allow for usage spikes due to sudden environment growth or unanticipated threats, Tenable Web
App Scanning licenses are elastic by 10%. However, when you scan more assets than you have
licensed, Tenable clearly communicates the overage and then reduces functionality in three stages.
Tenable Web App Scanning Deployment Options
Tenable offers many deployment options for Tenable Web App Scanning. For more information,
refer to the following product pages:
- Tenable Core + Web App Scanning - You can use the Tenable Core operating system to run an instance of Tenable Web App Scanning in your environment. After you deploy Tenable Core + Tenable Web App Scanning, you can monitor and manage your Tenable Web App Scanning processes through the secure Tenable Core platform.
- Tenable Web App Scanning in Tenable Nessus Expert - Tenable Web App Scanning in Tenable Nessus Expert allows you to scan and address web application vulnerabilities that traditional Tenable Nessus scanners, Tenable Nessus Agents, or Tenable Nessus Network Monitor cannot scan.
- Tenable Web App Scanning Docker Image - You can deploy Tenable Web App Scanning as a Docker image to run on a container. The base image is an Oracle Linux 8 instance of Tenable Web App Scanning. You can set up your Tenable Web App Scanning instance with environment variables to deploy the Docker image with configuration settings automatically. Once the Docker image is deployed, you can also update it, or collect scanner logs.
- Tenable Web App Scanning CI/CD Application Scan - You can deploy the Tenable Web App Scanning Docker image as a continuous integration and continuous delivery/continuous deployment (CI/CD) tool to run Tenable Web App Scanning scans on software before merging it. Scanning your CI/CD applications and services at any point in your application's lifecycle can greatly improve your security stance by finding vulnerabilities as early as possible.
Tenable Web App Scanning Scan Workflow
Note: When you launch a scan, the time the scanner takes to complete the scan varies depending on the system load. To prevent lengthy scan times, avoid launching an excessive number of scans simultaneously. Excessive numbers of concurrent scans may exhaust the system's scanning capacity. If necessary, Tenable Web App Scanning automatically staggers concurrent scans to ensure consistent scanning performance.
Note: Tenable Web App Scanning aborts scans that remain in pending status for more than four hours. If Tenable Web App Scanning aborts a scan, modify your scan schedules to reduce the number of overlapping scans. If you still have issues, contact Tenable Support.
API Scan
A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs described via an OpenAPI (Swagger) specification (file upload or URL of the file location). File attachment size is limited to 1 MB.
Tip: If the API you want to scan requires keys or a token for authentication, you can add the expected custom headers in the Advanced settings in the HTTP Settings section.
Note: API scans support only one target at a time.
Steps to launch a API scan:
Select the API scan template.
In the Settings section of the Create a Scan - API Scan page, populate the mininmum required settings: name, scanner and target
In the Scope section, add the OpenAPI (Swagger) file for the API you are scanning in one of
the following ways:
- Enter the URL of your OpenAPI (Swagger) file:
- Select URL in the drop-down list
- Enter the URL of your OpenAPI (Swagger) file in the text box.
- Upload an OpenAPI (Swagger) file.
- (Optional) Enter any URLs that you want to exclude from your scan in the Regex for excluded URLs textbox.
Note: The RESTful API file should be OpenAPI Specification (v2 or v3) compliant and represented in
either JSON or YAML format.
Note: Attaching an OpenAPI (Swagger) file larger than 1 MB to an API scan, results in an error
message. For more information on this limit, see the Knowledge Article. For more information
on Swagger specification files. see OpenAPI (Swagger) Specification.
Creating a script in Selenium
Install Selenium Chrome Extension
start extension
recording
Stop recording
Use the script in a Credentialed Scan
Credentialed Scans without a Script using Policy Config
MFA / 2FA and SSO
2FA is not supported in WAS. This is because one of the major reasons for using 2FA is to stop automated platforms authenticating. There are however, many ways to work-around this kind of issue. Here are just some examples:
- Contact the primary developer/team of the site. They have many more options available to them to support these scenarios.
- Contact the vendor for the 2FA. The 2FA vendor may have a method they recommend to support scanning.
- For the specific account created for WAS, create a "static token" that allows one specific account to use the same token/digits over and over again. We recommend changing this token periodically or based on your organization's policy.
- Create a "bypass" policy in whatever tools you're using for 2FA. For example, if the scan comes from IP range xx-yy, then bypass SMS auth. This can also be done as a combination of "headers authentication". (i.e. put something in the headers such as a long string (token) that is unique to that IP range. This prevents a second user on Tenable.io from scanning the same site as well.)
- Login to the web application, proceed with the authentication, and capture the session token used (cookie). Put the token into the scan properties (cookie authentication). It should work for that one scan. This option would require manual intervention each time a new scan is run.
Single sign-on is supported, depending on the web application configuration, through Selenium Authentication. However, if the application requires two-factor authentication where the second factor is something like an SMS pin, Web Application Scanning (WAS) cannot work around that. Cookie authentication would be required.
Additional Resources
- 2FA can also come in the form of "something you know", such as a question. In this case, Selenium can be used but also has limitations. See Limitations of Selenium in Web Application Scanning for more information.
- Documentation on Cookie Authentication
Note: https://community.tenable.com/s/article/Does-WAS-support-2FA-and-SSO?language=en_US
References
- Web Application Scanning - How to configure login form authentication
- Get Started with Tenable Web App Scanning
Tenable Resources for Vulnerability Management
共有 0 条评论