6.8 nessus: Web Application Test
Die im folgenden gelisteten Sicherheitslücken sind absteigend geordnet nach ihrem CVSSv3.BaseScore, mit dem die Severity der Sicherheitslücke durch den nessus-Anbieter Tenable definiert wird. Die folgende Tabelle bietet eine Übersicht zur Bedeutung der Wertebereiche:
Quelle: https://www.first.org/cvss/specification-document
Für die insgesamt zehn Sicherheitslücken mit einer Severity von Critical, High oder Medium sollen Lösungsvorschläge für eine bessere Absicherungs des Systems entwickelt werden, das heißt der Scope bezieht sich auf den Wertebereich 4.0 bis 10.0 des CVSSv3.Basescore.
Blind SQL Injection (CVSSv3.BaseScore 9.8)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type
Internal
Description
This script is possibly vulnerable to SQL Injection attacks.
SQL injection is a vulnerability that allows an attacker to alter
back-end SQL statements by manipulating the user input. An SQL injection
occurs when web applications accept user input that is directly placed
into a SQL statement and doesn’t properly filter out dangerous
characters.
This is one of the most common application layer attacks currently being
used on the Internet. Despite the fact that it is relatively easy to
protect against, there is a large number of web applications vulnerable.
An attacker may execute arbitrary SQL statements on the vulnerable
system. This may compromise the integrity of your database and/or expose
sensitive information.
Depending on the backend database in use, SQL injection vulnerabilities
lead to varying levels of data/system access for the attacker. It may be
possible to not only manipulate existing queries, but to UNION in
arbitrary data, use subselects, or append additional queries. In some
cases, it may be possible to read in or write out to files or to execute
shell commands on the underlying operating system.
Certain SQL Servers such as Microsoft SQL Server contain stored and
extended procedures (database server functions). If an attacker can
obtain access to these procedures it may be possible to compromise the
entire machine.
Solution
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this
vulnerability.
References
Acunetix SQL Injection Attack\
http://www.acunetix.com/websitesecurity/sql-injection.htm
VIDEO: SQL Injection tutorial\
http://www.acunetix.com/blog/web-security-zone/video-sql-injection-tutorial/
OWASP Injection Flaws\
http://www.owasp.org/index.php/Injection_Flaws
How to check for SQL injection vulnerabilities\
http://www.acunetix.com/websitesecurity/sql-injection2/
SQL Injection Walkthrough\
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
OWASP PHP Top 5\
http://www.owasp.org/index.php/PHP_Top_5
plugin
acunetix
plugin_id
Scripting (Blind_Sql_Injection.script)/Blind SQL Injection
TCP Sequence Number Approximation Based Denial of Service (CVSSv3.BaseScore 7.5)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type
Internal
Description
TCP provides stateful communications between hosts on a network. TCP
sessions are established by a three-way handshake and use random 32-bit
sequence and acknowledgment numbers to ensure the validity of traffic. A
vulnerability was reported that may permit TCP sequence numbers to be
more easily approximated by remote attackers. This issue affects
products released by multiple vendors.
The cause of the vulnerability is that affected implementations will
accept TCP sequence numbers within a certain range, known as the
acknowledgement range, of the expected sequence number for a packet in
the session. This is determined by the TCP window size, which is
negotiated during the three-way handshake for the session. Larger TCP
window sizes may be set to allow for more throughput, but the larger the
TCP window size, the more probable it is to guess a TCP sequence number
that falls within an acceptable range. It was initially thought that
guessing an acceptable sequence number was relatively difficult for most
implementations given random distribution, making this type of attack
impractical. However, some implementations may make it easier to
successfully approximate an acceptable TCP sequence number, making these
attacks possible with a number of protocols and implementations.
This is further compounded by the fact that some implementations may
support the use of the TCP Window Scale Option, as described in RFC
1323, to extend the TCP window size to a maximum value of 1 billion.
This vulnerability will permit a remote attacker to inject a SYN or RST
packet into the session, causing it to be reset and effectively allowing
for denial of service attacks. An attacker would exploit this issue by
sending a packet to a receiving implementation with an approximated
sequence number and a forged source IP address and TCP port.
There are a few factors that may present viable target implementations,
such as those which depend on long-lived TCP connections, those that
have known or easily guessed IP address endpoints and those
implementations with easily guessed TCP source ports. It has been noted
that Border Gateway Protocol (BGP) is reported to be particularly
vulnerable to this type of attack, due to the use of long-lived TCP
sessions and the possibility that some implementations may use the TCP
Window Scale Option. As a result, this issue is likely to affect a
number of routing platforms.
Another factor to consider is the relative difficulty of injecting
packets into TCP sessions, as a number of receiving implementations will
reassemble packets in order, dropping any duplicates. This may make some
implementations more resistant to attacks than others.
It should be noted that while a number of vendors have confirmed this
issue in various products, investigations are ongoing and it is likely
that many other vendors and products will turn out to be vulnerable as
the issue is investigated further.
Successful exploitation of this issue could lead to denial of service
attacks on the TCP based services of target hosts. Other consequences
may also result, such as man-in-the-middle attacks.
Solution
Please first check the results section below for the port number on
which this vulnerability was detected. If that port number is known to
be used for port-forwarding, then it is the backend host that is really
vulnerable.
Various implementations and products including Check Point, Cisco, Cray
Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks,
NEC, Polycom, and Yamaha are currently undergoing review. Contact the
vendors to obtain more information about affected products and fixes.
“NISCC Advisory 236929 – Vulnerability Issues in
TCP”:http://packetstormsecurity.org/0404-advisories/246929.html
details the vendor patch status as of the time of the advisory, and
identifies resolutions and workarounds.
The Internet Engineering Task Force (IETF) has developed an
Internet-Draft titled “Transmission Control Protocol Security
Considerations”:http://www3.ietf.org/proceedings/05mar/slides/tcpm-4.pdf
that addresses this issue.
Workaround:
The following BGP-specific workaround information has been provided.
For BGP implementations that support it, the TCP MD5 Signature Option
should be enabled. Passwords that the MD5 checksum is applied to should
be set to strong values and changed on a regular basis.
Secure BGP configuration instructions have been provided for Cisco and
Juniper at these locations:
“http://www.cymru.com/Documents/secure-bgp-template.html”:http://www.cymru.com/Documents/secure-bgp-template.html\
“http://www.qorbit.net/documents/junos-bgp-template.pdf”:http://www.qorbit.net/documents/junos-bgp-template.pdf
References
n/a
Number
82054
plugin
qualys
plugin_id
82054
SSL Certificate Signed Using Weak Hashing Algorithm (CVSSv3.BaseScore 7.5)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type
Internal
Description
The remote service uses an SSL certificate chain that has been signed
using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or
SHA1). These signature algorithms are known to be vulnerable to
collision attacks. An attacker can exploit this to generate another
certificate with the same digital signature, allowing an attacker to
masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google’s gradual sunsetting of the SHA-1 cryptographic
hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA
database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the certificate reissued.
References
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
plugin
nessus
plugin_id
35291
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type
External
Description
A vulnerability exists in Apache HTTP Server Versions 1.3.3 to 1.3.34.
This issue occurs due to the handling of invalid Expect headers.
An attacker can exploit this vulnerability to perform a cross-site
scripting attack.
Solution
Upgrade to the latest version of Apache, which is available for download
from the “Apache Web
site”:http://www.apache.org/.
References
Apache 1.3
http://httpd.apache.org/security/vulnerabilities_13.html
Number
86821
plugin
qualys
plugin_id
86821
jira_id
10002
jira_key
SF-3
SSL Certificate Cannot Be Trusted (CVSSv3.BaseScore 6.5)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Type
Internal
Description
The server’s X.509 certificate cannot be trusted. This situation can
occur in three different ways, in which the chain of trust can be
broken, as stated below:
-
First, the top of the certificate chain sent by the server might not
be descended from a known public certificate authority. This can
occur either when the top of the chain is an unrecognized,
self-signed certificate, or when intermediate certificates are
missing that would connect the top of the certificate chain to a
known public certificate authority.
-
Second, the certificate chain may contain a certificate that is not
valid at the time of the scan. This can occur either when the scan
occurs before one of the certificate’s ‘notBefore’ dates, or after
one of the certificate’s ‘notAfter’ dates.
-
Third, the certificate chain may contain a signature that either
didn’t match the certificate’s information or could not be verified.
Bad signatures can be fixed by getting the certificate with the bad
signature to be re-signed by its issuer. Signatures that could not
be verified are the result of the certificate’s issuer using a
signing algorithm that Nessus either does not support or does not
recognize.
If the remote host is a public host in production, any break in the
chain makes it more difficult for users to verify the authenticity and
identity of the web server. This could make it easier to carry out
man-in-the-middle attacks against the remote host.
Solution
Purchase or generate a proper certificate for this service.
References
https://www.itu.int/rec/T-REC-X.509/en\
https://en.wikipedia.org/wiki/X.509
plugin
nessus
plugin_id
51192
Browsable Web Directories (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type
Internal
Description
Multiple Nessus plugins identified directories on the web server that
are browsable.
Solution
Make sure that browsable directories do not leak confidential
informative or give access to sensitive resources. Additionally, use
access restrictions or disable directory indexing for any that do.
References
http://www.nessus.org/u?0a35179e
plugin
nessus
plugin_id
40984
HTTP TRACE / TRACK Methods Allowed (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and
TRACK are HTTP methods that are used to debug web server connections.
Solution
Disable these methods. Refer to the plugin output for more information.
References
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf\
http://www.apacheweek.com/issues/03-01-24\
https://download.oracle.com/sunalerts/1000718.1.html
plugin
nessus
plugin_id
11213
SSL Certificate Expiry (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type
Internal
Description
This plugin checks expiry dates of certificates associated with SSL-
enabled services on the target and reports whether any have already
expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
References
n/a
plugin
nessus
plugin_id
15901
Apache HTTPD: error responses can expose cookies (CVE-2012-0053) (CVSSv3.BaseScore 4.6)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Type
Internal
Description
A flaw was found in the default error response for status code 400. This
flaw could be used by an attacker to expose “httpOnly” cookies when no
custom ErrorDocument is specified.
Solution
Apache HTTPD >= 2.0 and < 2.0.65
Many platforms and distributions provide pre-built binary packages for
Apache HTTP server. These pre-built packages are usually customized and
optimized for a particular distribution, therefore we recommend that you
use the packages if they are available for your operating system.
References
source text APPLE APPLE-SA-2012-09-19-2 BID 51706 CVE CVE-2012-0053
REDHAT RHSA-2012:0128 SECUNIA 48551 URL
http://httpd.apache.org/security/vulnerabilities_20.html
URL
http://httpd.apache.org/security/vulnerabilities_22.html
plugin
nexpose
plugin_id
ntp-clock-variables-disclosure
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Type
External
Description
The Apache HTTP Server is a popular, open-source HTTP server for
multiple platforms, including Windows, Unix, and Linux.
A cache management feature for Apache makes use of an entity tag (ETag)
header. When this option is enabled and a request is made for a document
relating to a file, an ETag response header is returned containing
various file attributes for caching purposes. ETag information allows
subsequent file requests to contain specific information, such as the
file’s inode number.
A weakness has been found in the generation of ETag headers under
certain configurations implementing the FileETag directive. Among the
file attributes included in the header is the file inode number that is
returned to a client. In Apache Versions 1.3.22 and earlier, it’s not
possible to disable inodes in in ETag headers. In later versions, the
default behavior is to release this sensitive information.
This vulnerability poses a security risk, as the disclosure of inode
information may aid in launching attacks against other network-based
services. For instance, NFS uses inode numbers to generate file handles.
Solution
OpenBSD has released a
“patch”:ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch
that fixes this vulnerability. After installing the patch, inode numbers
returned from the server are encoded using a private hash to avoid the
release of sensitive information.
Customers are advised to upgrade to the latest version of Apache. In
Apache Version
“1.3.23”:http://httpd.apache.org/docs/1.3/mod/core.html#fileetag
and later, it’s possible to configure the FileETag directive to generate
ETag headers without inode information.
To do so, include:
"FileETag -INode"
in the Apache server configuration file for a specific subdirectory.
In order to fix this vulnerability globally, for the Web server, use the
option:
"FileETag None".
Use the option:
"FileETag
MTime Size"
if you just want to remove the Inode information.
References
n/a
Number
86477
plugin
qualys
plugin_id
86477
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (CVSSv3.BaseScore 3.7)
CVSSv3Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Type
Internal
Description
The remote host allows SSL/TLS connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party may be able to find the shared secret in a
short amount of time (depending on modulus size and attacker resources).
This may allow an attacker to recover the plaintext or potentially
violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater.
References
https://weakdh.org/
plugin
nessus
plugin_id
83875
Secure HyperText Transfer Protocol (S-HTTP) Detection (CVSSv3.BaseScore 3.5)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote web server accepts connections encrypted using Secure
HyperText Transfer Protocol (S-HTTP), a cryptographic layer that was
defined in 1999 by RFC 2660 and never widely implemented.
Solution
Rare or obsolete code is often poorly tested. Thus, it would be safer to
disable support for S-HTTP and use HTTPS instead.
References
http://tools.ietf.org/html/rfc2660
plugin
nessus
plugin_id
11720
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection (CVSSv3.BaseScore 2.4)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote service encrypts traffic using TLS / SSL but allows a client
to renegotiate the connection after the initial handshake. An
unauthenticated remote attacker may be able to leverage this issue to
inject an arbitrary amount of plaintext into the beginning of the
application protocol stream, which could facilitate man-in-the-middle
attacks if the service assumes that the sessions before and after
renegotiation are from the same ‘client’ and merges them at the
application layer.
Solution
Contact the vendor for specific patch information.
References
http://extendedsubset.com/?p=8\
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html\
http://www.kb.cert.org/vuls/id/120541\
http://www.g-sec.lu/practicaltls.pdf\
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
plugin
nessus
plugin_id
42880
ICMP Timestamp Request Remote Date Disclosure (CVSSv3.BaseScore 0.0)
CVSSv3Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Type
Internal
Description
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine, which may
assist an unauthenticated, remote attacker in defeating time-based
authentication protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 /
2008 R2 are deliberately incorrect, but usually within 1000 seconds of
the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
References
n/a
plugin
nessus
plugin_id
10114
Firewall Detected (CVSSv3.BaseScore 0.0)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Type
External
Description
A packet filtering device protecting this IP was detected. This is
likely to be a firewall or a router using access control lists (ACLs).
Solution
n/a
References
n/a
plugin
qualys
plugin_id
34011
CVSSv3Vector
n/a
Type
Internal
Description
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.
Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information available
from the scan.
Solution
n/a
References
http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe
plugin
nessus
plugin_id
45590
Local Checks Not Enabled (info) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus did not enable local checks on the remote host. This does not
necessarily indicate a problem with the scan. Credentials may not have
been provided, local checks may not be available for the target, the
target may not have been identified, or another issue may have occurred
that prevented local checks from being enabled. See plugin output for
details.
This plugin reports informational findings related to local checks not
being enabled. For failure information, see plugin 21745 :
‘Authentication Failure – Local Checks Not Run’.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
117886
CVSSv3Vector
n/a
Type
Internal
Description
This plugin displays, for each tested host, information about the scan
itself:
- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- Whether credentialed or third-party patch management checks are
possible.
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
19506
No Credentials Provided (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was unable to execute credentialed checks because no credentials
were provided.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
110723
SSL Cipher Block Chaining Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the use of SSL ciphers that operate in Cipher
Block Chaining (CBC) mode. These cipher suites offer additional security
over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.
Solution
n/a
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a\
https://www.openssl.org/~bodo/tls-cbc.txt
plugin
nessus
plugin_id
70544
TLS Version 1.0 Protocol Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0
has a number of cryptographic design flaws. Modern implementations of
TLS 1.0 mitigate these problems, but newer versions of TLS like 1.1 and
1.2 are designed against these flaws and should be used whenever
possible.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30,
2018, except for POS POI terminals (and the SSL/TLS termination points
to which they connect) that can be verified as not being susceptible to
any known exploits.
Solution
Enable support for TLS 1.1 and 1.2, and disable support for TLS 1.0.
References
n/a
plugin
nessus
plugin_id
104743
SSL Perfect Forward Secrecy Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the use of SSL ciphers that offer Perfect
Forward Secrecy (PFS) encryption. These cipher suites ensure that
recorded SSL traffic cannot be broken at a future date if the server’s
private key is compromised.
Solution
n/a
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html\
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange\
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
plugin
nessus
plugin_id
57041
TLS Version 1.1 Protocol Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service accepts connections encrypted using TLS 1.1.
TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and
authenticated encryption modes such as GCM cannot be used with TLS 1.1
PCI DSS v3.2 still allows TLS 1.1 as of June 30, 2018, but strongly
recommends the use of TLS 1.2. A proposal is currently before the IETF
to fully deprecate TLS 1.1 and many vendors have already proactively
done this.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
References
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
http://www.nessus.org/u?c8ae820d
plugin
nessus
plugin_id
121010
SSL Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin detects which SSL ciphers are supported by the remote
service for encrypting communications.
Solution
n/a
References
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
http://www.nessus.org/u?3a040ada
plugin
nessus
plugin_id
21643
Device Type (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Based on the remote operating system, it is possible to determine what
the remote system type is (eg: a printer, router, general-purpose
computer, etc).
Solution
n/a
References
n/a
plugin
nessus
plugin_id
54615
Title OS Identification (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP,
SNMP, etc.), it is possible to guess the name of the remote operating
system in use. It is also possible sometimes to guess the version of the
operating system.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
11936
Ethernet Card Manufacturer Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Each ethernet MAC address starts with a 24-bit Organizationally Unique
Identifier (OUI). These OUIs are registered by IEEE.
Solution
n/a
References
https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4
plugin
nessus
plugin_id
35716
Ethernet MAC Addresses (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin gathers MAC addresses discovered from both remote probing of
the host (e.g. SNMP and Netbios) and from running local checks (e.g.
ifconfig). It then consolidates the MAC addresses into a single, unique,
and uniform list.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
86420
SSL Certificate ‘commonName’ Mismatch (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The service running on the remote host presents an SSL certificate for
which the ‘commonName’ (CN) attribute does not match the hostname on
which the service listens.
Solution
If the machine has several names, make sure that users connect to the
service through the DNS hostname that matches the common name in the
certificate.
References
n/a
plugin
nessus
plugin_id
45410
SSL Self-Signed Certificate (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in
a certificate that is not self-signed, but is signed by an unrecognized
certificate authority.
Solution
Purchase or generate a proper certificate for this service.
References
n/a
plugin
nessus
plugin_id
57582
CVSSv3Vector
n/a
Type
Internal
Description
The remote service uses an SSL certificate chain that contains a
self-signed root Certification Authority certificate at the top of the
chain.
Solution
Ensure that use of this root Certification Authority certificate
complies with your organization’s acceptable use and security policies.
References
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778623(v=ws.10)
plugin
nessus
plugin_id
94761
OpenSSL Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Based on its response to a TLS request with a specially crafted server
name extension, it seems that the remote service is using the OpenSSL
library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have
enabled support for TLS extensions (RFC 4366).
Solution
n/a
References
https://www.openssl.org/
plugin
nessus
plugin_id
50845
TLS ALPN Supported Protocol Enumeration (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the TLS ALPN extension. This plugin enumerates
the protocols the extension supports.
Solution
n/a
References
https://tools.ietf.org/html/rfc7301
plugin
nessus
plugin_id
84821
CVSSv3Vector
n/a
Type
Internal
Description
This plugin connects to every SSL-related port and attempts to extract
and dump the X.509 certificate.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10863
HSTS Missing From HTTPS Server (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security
(HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping
man-in-the-middle attacks, and weakens cookie-hijacking protections.
Solution
Configure the remote web server to use HSTS.
References
https://tools.ietf.org/html/rfc6797
plugin
nessus
plugin_id
84502
SSL / TLS Versions Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin detects which SSL and TLS versions are supported by the
remote service for encrypting communications.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
56984
SSH Protocol Versions Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin determines the versions of the SSH protocol supported by the
remote SSH daemon.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10881
FTP Server Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
It is possible to obtain the banner of the remote FTP server by
connecting to a remote port.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10092
SSH Algorithms and Languages Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This script detects which algorithms and languages are supported by the
remote service for encrypting communications.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
70657
CVSSv3Vector
n/a
Type
Internal
Description
It is possible to obtain information about the remote SSH server by
sending an empty authentication request.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10267
OpenSSL Version Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to extract the OpenSSL version from the web server’s
banner. Note that security patches in many cases are backported and the
displayed version number does not show the patch level. Using it to
identify vulnerable software is likely to lead to false detections.
Solution
n/a
References
https://www.openssl.org/
plugin
nessus
plugin_id
57323
Apache HTTP Server Version (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host is running the Apache HTTP Server, an open source web
server. It was possible to read the version number from the banner.
Solution
n/a
References
https://httpd.apache.org/
plugin
nessus
plugin_id
48204
PHP Version Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to determine the version of PHP available on the remote
web server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
48243
JQuery Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to detect JQuery on the remote host.
Solution
n/a
References
https://jquery.com/
plugin
nessus
plugin_id
106658
HyperText Transfer Protocol (HTTP) Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This test gives some information about the remote HTTP protocol – the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc…
This test is informational only and does not denote any security
problem.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
24260
HTTP Server Type and Version (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin attempts to determine the type and the version of the remote
web server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10107
Host Fully Qualified Domain Name (FQDN) Resolution (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to resolve the fully qualified domain name (FQDN) of the
remote host.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
12053
mDNS Detection (Local Network) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service understands the Bonjour (also known as ZeroConf or
mDNS) protocol, which allows anyone to uncover information from the
remote host such as its operating system type and exact version, its
hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts residing on the same
network segment as Nessus.
Solution
Filter incoming traffic to UDP port 5353, if desired.
References
n/a
plugin
nessus
plugin_id
66717
TCP/IP Timestamps Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side
effect of this feature is that the uptime of the remote host can
sometimes be computed.
Solution
n/a
References
http://www.ietf.org/rfc/rfc1323.txt
plugin
nessus
plugin_id
25220
CVSSv3Vector
n/a
Type
Internal
Description
Makes a traceroute to the remote host.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10287
Web Server Office File Inventory (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin connects to the remote web server and attempts to find
office-related files such as .doc, .ppt, .xls, .pdf etc.
Solution
Make sure that such files do not contain any confidential or otherwise
sensitive information and that they are only accessible to those with
valid credentials.
References
n/a
plugin
nessus
plugin_id
11419
CVSSv3Vector
n/a
Type
Internal
Description
The PHP install on the remote server is configured in a way that allows
disclosure of potentially sensitive information to an attacker through a
special URL. Such a URL triggers an Easter egg built into PHP itself.
Other such Easter eggs likely exist, but Nessus has not checked for
them.
Solution
In the PHP configuration file, php.ini, set the value for ‘expose_php’
to ‘Off’ to disable this behavior. Restart the web server daemon to put
this change into effect.
References
https://www.0php.com/php_easter_egg.php\
https://seclists.org/webappsec/2004/q4/324
plugin
nessus
plugin_id
46803
HTTP Methods Allowed (per directory) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.
The following HTTP methods are considered insecure:
PUT, DELETE, CONNECT, TRACE, HEAD
Many frameworks and languages treat ‘HEAD’ as a ‘GET’ request, albeit
one without any body in the response. If a security constraint was set
on ‘GET’ requests such that only ‘authenticatedUsers’ could access GET
requests for a particular servlet or resource, it would be bypassed for
the ‘HEAD’ version. This allowed unauthorized blind submission of any
privileged GET request.
As this list may be incomplete, the plugin also tests – if ‘Thorough
tests’ are enabled or ‘Enable web applications tests’ is set to ‘yes’ in
the scan policy – various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
References
http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb\
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
plugin
nessus
plugin_id
43111
HyperText Transfer Protocol (HTTP) Redirect Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server issues an HTTP redirect when requesting the root
directory of the web server.
This plugin is informational only and does not denote a security
problem.
Solution
Analyze the redirect(s) to verify that this is valid operation for your
web server and/or application.
References
n/a
plugin
nessus
plugin_id
91634
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server in some responses sets a permissive
X-Frame-Options response header or does not set one at all.
The X-Frame-Options header has been proposed by Microsoft as a way to
mitigate clickjacking attacks and is currently supported by all major
browser vendors
Solution
Set a properly configured X-Frame-Options header for all requested
resources.
References
https://en.wikipedia.org/wiki/Clickjacking
http://www.nessus.org/u?399b1f56
plugin
nessus
plugin_id
50345
Web Application Sitemap (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server contains linkable content that can be used to
gather information about a target.
Solution
n/a
References
http://www.nessus.org/u?5496c8d9
plugin
nessus
plugin_id
91815
External URLs (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus gathered HREF links to external sites by crawling the remote web
server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
49704
Web Application Potentially Vulnerable to Clickjacking (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server does not set an X-Frame-Options response header or
a Content-Security-Policy ‘frame-ancestors’ response header in all
content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a user
into clicking an area of the vulnerable page that is different than what
the user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser
vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web
Application Security Working Group, with increasing support among all
major browser vendors, as a way to mitigate clickjacking and other
attacks. The ‘frame-ancestors’ policy directive restricts which sources
can embed the protected resource.
Note that while the X-Frame-Options and Content-Security-Policy response
headers are not the only mitigations for clickjacking, they are
currently the most reliable methods that can be detected through
automation. Therefore, this plugin may produce false positives if other
mitigation strategies (e.g., frame-busting JavaScript) are deployed or
if the page does not perform any security-sensitive transactions.
Solution
Return the X-Frame-Options or Content-Security-Policy (with the
‘frame-ancestors’ directive) HTTP header with the page’s response.
This prevents the page’s content from being rendered by another site
when using the frame or iframe HTML tags.
References
http://www.nessus.org/u?399b1f56\
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet\
https://en.wikipedia.org/wiki/Clickjacking
plugin
nessus
plugin_id
85582
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) frame-ancestors response header or does
not set one at all.
The CSP frame-ancestors header has been proposed by the W3C Web
Application Security Working Group as a way to mitigate cross-site
scripting and clickjacking attacks.
Solution
Set a non-permissive Content-Security-Policy frame-ancestors header for
all requested resources.
References
http://www.nessus.org/u?55aa8f57
http://www.nessus.org/u?07cc2a06\
https://content-security-policy.com/
https://www.w3.org/TR/CSP2/
plugin
nessus
plugin_id
50344
Web mirroring (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin makes a mirror of the remote website(s) and extracts the
list of CGIs that are used by the remote host.
It is suggested that you change the number of pages to mirror in the
‘Options’ section of the client.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10662
Web Server Directory Enumeration (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin attempts to determine the presence of various common
directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.
Solution
n/a
References
http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location
plugin
nessus
plugin_id
11032
6.8 nessus: Web Application Test
Die im folgenden gelisteten Sicherheitslücken sind absteigend geordnet nach ihrem CVSSv3.BaseScore, mit dem die Severity der Sicherheitslücke durch den nessus-Anbieter Tenable definiert wird. Die folgende Tabelle bietet eine Übersicht zur Bedeutung der Wertebereiche:
Quelle: https://www.first.org/cvss/specification-document
Für die insgesamt zehn Sicherheitslücken mit einer Severity von Critical, High oder Medium sollen Lösungsvorschläge für eine bessere Absicherungs des Systems entwickelt werden, das heißt der Scope bezieht sich auf den Wertebereich 4.0 bis 10.0 des CVSSv3.Basescore.
Blind SQL Injection (CVSSv3.BaseScore 9.8)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type
Internal
Description
This script is possibly vulnerable to SQL Injection attacks.
SQL injection is a vulnerability that allows an attacker to alter
back-end SQL statements by manipulating the user input. An SQL injection
occurs when web applications accept user input that is directly placed
into a SQL statement and doesn’t properly filter out dangerous
characters.
This is one of the most common application layer attacks currently being
used on the Internet. Despite the fact that it is relatively easy to
protect against, there is a large number of web applications vulnerable.
An attacker may execute arbitrary SQL statements on the vulnerable
system. This may compromise the integrity of your database and/or expose
sensitive information.
Depending on the backend database in use, SQL injection vulnerabilities
lead to varying levels of data/system access for the attacker. It may be
possible to not only manipulate existing queries, but to UNION in
arbitrary data, use subselects, or append additional queries. In some
cases, it may be possible to read in or write out to files or to execute
shell commands on the underlying operating system.
Certain SQL Servers such as Microsoft SQL Server contain stored and
extended procedures (database server functions). If an attacker can
obtain access to these procedures it may be possible to compromise the
entire machine.
Solution
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this
vulnerability.
References
Acunetix SQL Injection Attack\
http://www.acunetix.com/websitesecurity/sql-injection.htm
VIDEO: SQL Injection tutorial\
http://www.acunetix.com/blog/web-security-zone/video-sql-injection-tutorial/
OWASP Injection Flaws\
http://www.owasp.org/index.php/Injection_Flaws
How to check for SQL injection vulnerabilities\
http://www.acunetix.com/websitesecurity/sql-injection2/
SQL Injection Walkthrough\
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
OWASP PHP Top 5\
http://www.owasp.org/index.php/PHP_Top_5
plugin
acunetix
plugin_id
Scripting (Blind_Sql_Injection.script)/Blind SQL Injection
TCP Sequence Number Approximation Based Denial of Service (CVSSv3.BaseScore 7.5)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type
Internal
Description
TCP provides stateful communications between hosts on a network. TCP
sessions are established by a three-way handshake and use random 32-bit
sequence and acknowledgment numbers to ensure the validity of traffic. A
vulnerability was reported that may permit TCP sequence numbers to be
more easily approximated by remote attackers. This issue affects
products released by multiple vendors.
The cause of the vulnerability is that affected implementations will
accept TCP sequence numbers within a certain range, known as the
acknowledgement range, of the expected sequence number for a packet in
the session. This is determined by the TCP window size, which is
negotiated during the three-way handshake for the session. Larger TCP
window sizes may be set to allow for more throughput, but the larger the
TCP window size, the more probable it is to guess a TCP sequence number
that falls within an acceptable range. It was initially thought that
guessing an acceptable sequence number was relatively difficult for most
implementations given random distribution, making this type of attack
impractical. However, some implementations may make it easier to
successfully approximate an acceptable TCP sequence number, making these
attacks possible with a number of protocols and implementations.
This is further compounded by the fact that some implementations may
support the use of the TCP Window Scale Option, as described in RFC
1323, to extend the TCP window size to a maximum value of 1 billion.
This vulnerability will permit a remote attacker to inject a SYN or RST
packet into the session, causing it to be reset and effectively allowing
for denial of service attacks. An attacker would exploit this issue by
sending a packet to a receiving implementation with an approximated
sequence number and a forged source IP address and TCP port.
There are a few factors that may present viable target implementations,
such as those which depend on long-lived TCP connections, those that
have known or easily guessed IP address endpoints and those
implementations with easily guessed TCP source ports. It has been noted
that Border Gateway Protocol (BGP) is reported to be particularly
vulnerable to this type of attack, due to the use of long-lived TCP
sessions and the possibility that some implementations may use the TCP
Window Scale Option. As a result, this issue is likely to affect a
number of routing platforms.
Another factor to consider is the relative difficulty of injecting
packets into TCP sessions, as a number of receiving implementations will
reassemble packets in order, dropping any duplicates. This may make some
implementations more resistant to attacks than others.
It should be noted that while a number of vendors have confirmed this
issue in various products, investigations are ongoing and it is likely
that many other vendors and products will turn out to be vulnerable as
the issue is investigated further.
Successful exploitation of this issue could lead to denial of service
attacks on the TCP based services of target hosts. Other consequences
may also result, such as man-in-the-middle attacks.
Solution
Please first check the results section below for the port number on
which this vulnerability was detected. If that port number is known to
be used for port-forwarding, then it is the backend host that is really
vulnerable.
Various implementations and products including Check Point, Cisco, Cray
Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks,
NEC, Polycom, and Yamaha are currently undergoing review. Contact the
vendors to obtain more information about affected products and fixes.
“NISCC Advisory 236929 – Vulnerability Issues in
TCP”:http://packetstormsecurity.org/0404-advisories/246929.html
details the vendor patch status as of the time of the advisory, and
identifies resolutions and workarounds.
The Internet Engineering Task Force (IETF) has developed an
Internet-Draft titled “Transmission Control Protocol Security
Considerations”:http://www3.ietf.org/proceedings/05mar/slides/tcpm-4.pdf
that addresses this issue.
Workaround:
The following BGP-specific workaround information has been provided.
For BGP implementations that support it, the TCP MD5 Signature Option
should be enabled. Passwords that the MD5 checksum is applied to should
be set to strong values and changed on a regular basis.
Secure BGP configuration instructions have been provided for Cisco and
Juniper at these locations:
“http://www.cymru.com/Documents/secure-bgp-template.html”:http://www.cymru.com/Documents/secure-bgp-template.html\
“http://www.qorbit.net/documents/junos-bgp-template.pdf”:http://www.qorbit.net/documents/junos-bgp-template.pdf
References
n/a
Number
82054
plugin
qualys
plugin_id
82054
SSL Certificate Signed Using Weak Hashing Algorithm (CVSSv3.BaseScore 7.5)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type
Internal
Description
The remote service uses an SSL certificate chain that has been signed
using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or
SHA1). These signature algorithms are known to be vulnerable to
collision attacks. An attacker can exploit this to generate another
certificate with the same digital signature, allowing an attacker to
masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google’s gradual sunsetting of the SHA-1 cryptographic
hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA
database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the certificate reissued.
References
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
plugin
nessus
plugin_id
35291
Apache 1.3 HTTP Server Expect Header Cross-Site Scripting (CVSSv3.BaseScore 7.3)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type
External
Description
A vulnerability exists in Apache HTTP Server Versions 1.3.3 to 1.3.34.
This issue occurs due to the handling of invalid Expect headers.
An attacker can exploit this vulnerability to perform a cross-site
scripting attack.
Solution
Upgrade to the latest version of Apache, which is available for download
from the “Apache Web
site”:http://www.apache.org/.
References
Apache 1.3
http://httpd.apache.org/security/vulnerabilities_13.html
Number
86821
plugin
qualys
plugin_id
86821
jira_id
10002
jira_key
SF-3
SSL Certificate Cannot Be Trusted (CVSSv3.BaseScore 6.5)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Type
Internal
Description
The server’s X.509 certificate cannot be trusted. This situation can
occur in three different ways, in which the chain of trust can be
broken, as stated below:
First, the top of the certificate chain sent by the server might not
be descended from a known public certificate authority. This can
occur either when the top of the chain is an unrecognized,
self-signed certificate, or when intermediate certificates are
missing that would connect the top of the certificate chain to a
known public certificate authority.
Second, the certificate chain may contain a certificate that is not
valid at the time of the scan. This can occur either when the scan
occurs before one of the certificate’s ‘notBefore’ dates, or after
one of the certificate’s ‘notAfter’ dates.
Third, the certificate chain may contain a signature that either
didn’t match the certificate’s information or could not be verified.
Bad signatures can be fixed by getting the certificate with the bad
signature to be re-signed by its issuer. Signatures that could not
be verified are the result of the certificate’s issuer using a
signing algorithm that Nessus either does not support or does not
recognize.
If the remote host is a public host in production, any break in the
chain makes it more difficult for users to verify the authenticity and
identity of the web server. This could make it easier to carry out
man-in-the-middle attacks against the remote host.
Solution
Purchase or generate a proper certificate for this service.
References
https://www.itu.int/rec/T-REC-X.509/en\
https://en.wikipedia.org/wiki/X.509
plugin
nessus
plugin_id
51192
Browsable Web Directories (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type
Internal
Description
Multiple Nessus plugins identified directories on the web server that
are browsable.
Solution
Make sure that browsable directories do not leak confidential
informative or give access to sensitive resources. Additionally, use
access restrictions or disable directory indexing for any that do.
References
http://www.nessus.org/u?0a35179e
plugin
nessus
plugin_id
40984
HTTP TRACE / TRACK Methods Allowed (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and
TRACK are HTTP methods that are used to debug web server connections.
Solution
Disable these methods. Refer to the plugin output for more information.
References
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf\
http://www.apacheweek.com/issues/03-01-24\
https://download.oracle.com/sunalerts/1000718.1.html
plugin
nessus
plugin_id
11213
SSL Certificate Expiry (CVSSv3.BaseScore 5.3)
CVSSv3Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type
Internal
Description
This plugin checks expiry dates of certificates associated with SSL-
enabled services on the target and reports whether any have already
expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
References
n/a
plugin
nessus
plugin_id
15901
Apache HTTPD: error responses can expose cookies (CVE-2012-0053) (CVSSv3.BaseScore 4.6)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Type
Internal
Description
A flaw was found in the default error response for status code 400. This
flaw could be used by an attacker to expose “httpOnly” cookies when no
custom ErrorDocument is specified.
Solution
Apache HTTPD >= 2.0 and < 2.0.65
Many platforms and distributions provide pre-built binary packages for
Apache HTTP server. These pre-built packages are usually customized and
optimized for a particular distribution, therefore we recommend that you
use the packages if they are available for your operating system.
References
source text APPLE APPLE-SA-2012-09-19-2 BID 51706 CVE CVE-2012-0053
REDHAT RHSA-2012:0128 SECUNIA 48551 URL
http://httpd.apache.org/security/vulnerabilities_20.html
URL
http://httpd.apache.org/security/vulnerabilities_22.html
plugin
nexpose
plugin_id
ntp-clock-variables-disclosure
Apache Web Server ETag Header Information Disclosure Weakness (CVSSv3.BaseScore 4.6)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Type
External
Description
The Apache HTTP Server is a popular, open-source HTTP server for
multiple platforms, including Windows, Unix, and Linux.
A cache management feature for Apache makes use of an entity tag (ETag)
header. When this option is enabled and a request is made for a document
relating to a file, an ETag response header is returned containing
various file attributes for caching purposes. ETag information allows
subsequent file requests to contain specific information, such as the
file’s inode number.
A weakness has been found in the generation of ETag headers under
certain configurations implementing the FileETag directive. Among the
file attributes included in the header is the file inode number that is
returned to a client. In Apache Versions 1.3.22 and earlier, it’s not
possible to disable inodes in in ETag headers. In later versions, the
default behavior is to release this sensitive information.
This vulnerability poses a security risk, as the disclosure of inode
information may aid in launching attacks against other network-based
services. For instance, NFS uses inode numbers to generate file handles.
Solution
OpenBSD has released a
“patch”:ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch
that fixes this vulnerability. After installing the patch, inode numbers
returned from the server are encoded using a private hash to avoid the
release of sensitive information.
Customers are advised to upgrade to the latest version of Apache. In
Apache Version
“1.3.23”:http://httpd.apache.org/docs/1.3/mod/core.html#fileetag
and later, it’s possible to configure the FileETag directive to generate
ETag headers without inode information.
To do so, include:
in the Apache server configuration file for a specific subdirectory.
In order to fix this vulnerability globally, for the Web server, use the
option:
Use the option:
if you just want to remove the Inode information.
References
n/a
Number
86477
plugin
qualys
plugin_id
86477
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (CVSSv3.BaseScore 3.7)
CVSSv3Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Type
Internal
Description
The remote host allows SSL/TLS connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party may be able to find the shared secret in a
short amount of time (depending on modulus size and attacker resources).
This may allow an attacker to recover the plaintext or potentially
violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater.
References
https://weakdh.org/
plugin
nessus
plugin_id
83875
Secure HyperText Transfer Protocol (S-HTTP) Detection (CVSSv3.BaseScore 3.5)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote web server accepts connections encrypted using Secure
HyperText Transfer Protocol (S-HTTP), a cryptographic layer that was
defined in 1999 by RFC 2660 and never widely implemented.
Solution
Rare or obsolete code is often poorly tested. Thus, it would be safer to
disable support for S-HTTP and use HTTPS instead.
References
http://tools.ietf.org/html/rfc2660
plugin
nessus
plugin_id
11720
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection (CVSSv3.BaseScore 2.4)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Type
Internal
Description
The remote service encrypts traffic using TLS / SSL but allows a client
to renegotiate the connection after the initial handshake. An
unauthenticated remote attacker may be able to leverage this issue to
inject an arbitrary amount of plaintext into the beginning of the
application protocol stream, which could facilitate man-in-the-middle
attacks if the service assumes that the sessions before and after
renegotiation are from the same ‘client’ and merges them at the
application layer.
Solution
Contact the vendor for specific patch information.
References
http://extendedsubset.com/?p=8\
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html\
http://www.kb.cert.org/vuls/id/120541\
http://www.g-sec.lu/practicaltls.pdf\
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
plugin
nessus
plugin_id
42880
ICMP Timestamp Request Remote Date Disclosure (CVSSv3.BaseScore 0.0)
CVSSv3Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Type
Internal
Description
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine, which may
assist an unauthenticated, remote attacker in defeating time-based
authentication protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 /
2008 R2 are deliberately incorrect, but usually within 1000 seconds of
the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
References
n/a
plugin
nessus
plugin_id
10114
Firewall Detected (CVSSv3.BaseScore 0.0)
CVSSv3.Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Type
External
Description
A packet filtering device protecting this IP was detected. This is
likely to be a firewall or a router using access control lists (ACLs).
Solution
n/a
References
n/a
plugin
qualys
plugin_id
34011
Common Platform Enumeration (CPE) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.
Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information available
from the scan.
Solution
n/a
References
http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe
plugin
nessus
plugin_id
45590
Local Checks Not Enabled (info) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus did not enable local checks on the remote host. This does not
necessarily indicate a problem with the scan. Credentials may not have
been provided, local checks may not be available for the target, the
target may not have been identified, or another issue may have occurred
that prevented local checks from being enabled. See plugin output for
details.
This plugin reports informational findings related to local checks not
being enabled. For failure information, see plugin 21745 :
‘Authentication Failure – Local Checks Not Run’.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
117886
Nessus Scan Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin displays, for each tested host, information about the scan
itself:
possible.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
19506
No Credentials Provided (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was unable to execute credentialed checks because no credentials
were provided.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
110723
SSL Cipher Block Chaining Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the use of SSL ciphers that operate in Cipher
Block Chaining (CBC) mode. These cipher suites offer additional security
over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.
Solution
n/a
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a\
https://www.openssl.org/~bodo/tls-cbc.txt
plugin
nessus
plugin_id
70544
TLS Version 1.0 Protocol Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0
has a number of cryptographic design flaws. Modern implementations of
TLS 1.0 mitigate these problems, but newer versions of TLS like 1.1 and
1.2 are designed against these flaws and should be used whenever
possible.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30,
2018, except for POS POI terminals (and the SSL/TLS termination points
to which they connect) that can be verified as not being susceptible to
any known exploits.
Solution
Enable support for TLS 1.1 and 1.2, and disable support for TLS 1.0.
References
n/a
plugin
nessus
plugin_id
104743
SSL Perfect Forward Secrecy Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the use of SSL ciphers that offer Perfect
Forward Secrecy (PFS) encryption. These cipher suites ensure that
recorded SSL traffic cannot be broken at a future date if the server’s
private key is compromised.
Solution
n/a
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html\
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange\
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
plugin
nessus
plugin_id
57041
TLS Version 1.1 Protocol Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service accepts connections encrypted using TLS 1.1.
TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and
authenticated encryption modes such as GCM cannot be used with TLS 1.1
PCI DSS v3.2 still allows TLS 1.1 as of June 30, 2018, but strongly
recommends the use of TLS 1.2. A proposal is currently before the IETF
to fully deprecate TLS 1.1 and many vendors have already proactively
done this.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
References
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
http://www.nessus.org/u?c8ae820d
plugin
nessus
plugin_id
121010
SSL Cipher Suites Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin detects which SSL ciphers are supported by the remote
service for encrypting communications.
Solution
n/a
References
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
http://www.nessus.org/u?3a040ada
plugin
nessus
plugin_id
21643
Device Type (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Based on the remote operating system, it is possible to determine what
the remote system type is (eg: a printer, router, general-purpose
computer, etc).
Solution
n/a
References
n/a
plugin
nessus
plugin_id
54615
Title OS Identification (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP,
SNMP, etc.), it is possible to guess the name of the remote operating
system in use. It is also possible sometimes to guess the version of the
operating system.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
11936
Ethernet Card Manufacturer Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Each ethernet MAC address starts with a 24-bit Organizationally Unique
Identifier (OUI). These OUIs are registered by IEEE.
Solution
n/a
References
https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4
plugin
nessus
plugin_id
35716
Ethernet MAC Addresses (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin gathers MAC addresses discovered from both remote probing of
the host (e.g. SNMP and Netbios) and from running local checks (e.g.
ifconfig). It then consolidates the MAC addresses into a single, unique,
and uniform list.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
86420
SSL Certificate ‘commonName’ Mismatch (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The service running on the remote host presents an SSL certificate for
which the ‘commonName’ (CN) attribute does not match the hostname on
which the service listens.
Solution
If the machine has several names, make sure that users connect to the
service through the DNS hostname that matches the common name in the
certificate.
References
n/a
plugin
nessus
plugin_id
45410
SSL Self-Signed Certificate (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host in
production, this nullifies the use of SSL as anyone could establish a
man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in
a certificate that is not self-signed, but is signed by an unrecognized
certificate authority.
Solution
Purchase or generate a proper certificate for this service.
References
n/a
plugin
nessus
plugin_id
57582
SSL Root Certification Authority Certificate Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service uses an SSL certificate chain that contains a
self-signed root Certification Authority certificate at the top of the
chain.
Solution
Ensure that use of this root Certification Authority certificate
complies with your organization’s acceptable use and security policies.
References
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778623(v=ws.10)
plugin
nessus
plugin_id
94761
OpenSSL Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Based on its response to a TLS request with a specially crafted server
name extension, it seems that the remote service is using the OpenSSL
library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have
enabled support for TLS extensions (RFC 4366).
Solution
n/a
References
https://www.openssl.org/
plugin
nessus
plugin_id
50845
TLS ALPN Supported Protocol Enumeration (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host supports the TLS ALPN extension. This plugin enumerates
the protocols the extension supports.
Solution
n/a
References
https://tools.ietf.org/html/rfc7301
plugin
nessus
plugin_id
84821
SSL Certificate Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin connects to every SSL-related port and attempts to extract
and dump the X.509 certificate.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10863
HSTS Missing From HTTPS Server (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security
(HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping
man-in-the-middle attacks, and weakens cookie-hijacking protections.
Solution
Configure the remote web server to use HSTS.
References
https://tools.ietf.org/html/rfc6797
plugin
nessus
plugin_id
84502
SSL / TLS Versions Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin detects which SSL and TLS versions are supported by the
remote service for encrypting communications.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
56984
SSH Protocol Versions Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin determines the versions of the SSH protocol supported by the
remote SSH daemon.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10881
FTP Server Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
It is possible to obtain the banner of the remote FTP server by
connecting to a remote port.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10092
SSH Algorithms and Languages Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This script detects which algorithms and languages are supported by the
remote service for encrypting communications.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
70657
Title SSH Server Type and Version Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
It is possible to obtain information about the remote SSH server by
sending an empty authentication request.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10267
OpenSSL Version Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to extract the OpenSSL version from the web server’s
banner. Note that security patches in many cases are backported and the
displayed version number does not show the patch level. Using it to
identify vulnerable software is likely to lead to false detections.
Solution
n/a
References
https://www.openssl.org/
plugin
nessus
plugin_id
57323
Apache HTTP Server Version (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host is running the Apache HTTP Server, an open source web
server. It was possible to read the version number from the banner.
Solution
n/a
References
https://httpd.apache.org/
plugin
nessus
plugin_id
48204
PHP Version Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to determine the version of PHP available on the remote
web server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
48243
JQuery Detection (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to detect JQuery on the remote host.
Solution
n/a
References
https://jquery.com/
plugin
nessus
plugin_id
106658
HyperText Transfer Protocol (HTTP) Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This test gives some information about the remote HTTP protocol – the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc…
This test is informational only and does not denote any security
problem.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
24260
HTTP Server Type and Version (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin attempts to determine the type and the version of the remote
web server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10107
Host Fully Qualified Domain Name (FQDN) Resolution (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus was able to resolve the fully qualified domain name (FQDN) of the
remote host.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
12053
mDNS Detection (Local Network) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote service understands the Bonjour (also known as ZeroConf or
mDNS) protocol, which allows anyone to uncover information from the
remote host such as its operating system type and exact version, its
hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts residing on the same
network segment as Nessus.
Solution
Filter incoming traffic to UDP port 5353, if desired.
References
n/a
plugin
nessus
plugin_id
66717
TCP/IP Timestamps Supported (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side
effect of this feature is that the uptime of the remote host can
sometimes be computed.
Solution
n/a
References
http://www.ietf.org/rfc/rfc1323.txt
plugin
nessus
plugin_id
25220
Traceroute Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Makes a traceroute to the remote host.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10287
Web Server Office File Inventory (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin connects to the remote web server and attempts to find
office-related files such as .doc, .ppt, .xls, .pdf etc.
Solution
Make sure that such files do not contain any confidential or otherwise
sensitive information and that they are only accessible to those with
valid credentials.
References
n/a
plugin
nessus
plugin_id
11419
PHP expose_php Information Disclosure (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The PHP install on the remote server is configured in a way that allows
disclosure of potentially sensitive information to an attacker through a
special URL. Such a URL triggers an Easter egg built into PHP itself.
Other such Easter eggs likely exist, but Nessus has not checked for
them.
Solution
In the PHP configuration file, php.ini, set the value for ‘expose_php’
to ‘Off’ to disable this behavior. Restart the web server daemon to put
this change into effect.
References
https://www.0php.com/php_easter_egg.php\
https://seclists.org/webappsec/2004/q4/324
plugin
nessus
plugin_id
46803
HTTP Methods Allowed (per directory) (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.
The following HTTP methods are considered insecure:
PUT, DELETE, CONNECT, TRACE, HEAD
Many frameworks and languages treat ‘HEAD’ as a ‘GET’ request, albeit
one without any body in the response. If a security constraint was set
on ‘GET’ requests such that only ‘authenticatedUsers’ could access GET
requests for a particular servlet or resource, it would be bypassed for
the ‘HEAD’ version. This allowed unauthorized blind submission of any
privileged GET request.
As this list may be incomplete, the plugin also tests – if ‘Thorough
tests’ are enabled or ‘Enable web applications tests’ is set to ‘yes’ in
the scan policy – various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.
Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
References
http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb\
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
plugin
nessus
plugin_id
43111
HyperText Transfer Protocol (HTTP) Redirect Information (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server issues an HTTP redirect when requesting the root
directory of the web server.
This plugin is informational only and does not denote a security
problem.
Solution
Analyze the redirect(s) to verify that this is valid operation for your
web server and/or application.
References
n/a
plugin
nessus
plugin_id
91634
Missing or Permissive X-Frame-Options HTTP Response Header (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server in some responses sets a permissive
X-Frame-Options response header or does not set one at all.
The X-Frame-Options header has been proposed by Microsoft as a way to
mitigate clickjacking attacks and is currently supported by all major
browser vendors
Solution
Set a properly configured X-Frame-Options header for all requested
resources.
References
https://en.wikipedia.org/wiki/Clickjacking
http://www.nessus.org/u?399b1f56
plugin
nessus
plugin_id
50345
Web Application Sitemap (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server contains linkable content that can be used to
gather information about a target.
Solution
n/a
References
http://www.nessus.org/u?5496c8d9
plugin
nessus
plugin_id
91815
External URLs (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
Nessus gathered HREF links to external sites by crawling the remote web
server.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
49704
Web Application Potentially Vulnerable to Clickjacking (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server does not set an X-Frame-Options response header or
a Content-Security-Policy ‘frame-ancestors’ response header in all
content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a user
into clicking an area of the vulnerable page that is different than what
the user perceives the page to be. This can result in a user performing
fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser
vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web
Application Security Working Group, with increasing support among all
major browser vendors, as a way to mitigate clickjacking and other
attacks. The ‘frame-ancestors’ policy directive restricts which sources
can embed the protected resource.
Note that while the X-Frame-Options and Content-Security-Policy response
headers are not the only mitigations for clickjacking, they are
currently the most reliable methods that can be detected through
automation. Therefore, this plugin may produce false positives if other
mitigation strategies (e.g., frame-busting JavaScript) are deployed or
if the page does not perform any security-sensitive transactions.
Solution
Return the X-Frame-Options or Content-Security-Policy (with the
‘frame-ancestors’ directive) HTTP header with the page’s response.
This prevents the page’s content from being rendered by another site
when using the frame or iframe HTML tags.
References
http://www.nessus.org/u?399b1f56\
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet\
https://en.wikipedia.org/wiki/Clickjacking
plugin
nessus
plugin_id
85582
Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) frame-ancestors response header or does
not set one at all.
The CSP frame-ancestors header has been proposed by the W3C Web
Application Security Working Group as a way to mitigate cross-site
scripting and clickjacking attacks.
Solution
Set a non-permissive Content-Security-Policy frame-ancestors header for
all requested resources.
References
http://www.nessus.org/u?55aa8f57
http://www.nessus.org/u?07cc2a06\
https://content-security-policy.com/
https://www.w3.org/TR/CSP2/
plugin
nessus
plugin_id
50344
Web mirroring (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin makes a mirror of the remote website(s) and extracts the
list of CGIs that are used by the remote host.
It is suggested that you change the number of pages to mirror in the
‘Options’ section of the client.
Solution
n/a
References
n/a
plugin
nessus
plugin_id
10662
Web Server Directory Enumeration (CVSSv3.BaseScore n/a)
CVSSv3Vector
n/a
Type
Internal
Description
This plugin attempts to determine the presence of various common
directories on the remote web server. By sending a request for a
directory, the web server response code indicates if it is a valid
directory or not.
Solution
n/a
References
http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location
plugin
nessus
plugin_id
11032