I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn’t achieve it. I gave all(text, password and hidden fields) the form fields’ values including the ticket generated by Central Authentication System. But nothing happens. Either there isn’t any security issue behind the login page ( ๐ ), or I couldn’t login to the page (100% possibility ๐ ). For extra info:
These are login fields. ๐
username=
&password=
<=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login
Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?
Thanks in advance. ๐
I had similar problems; can’t speak for you, but sounds like you have about as much website knowledge as I do (which ain’t much!) – no offense intended. In my case I’m not sure I’m understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I’m far better at the network and infrastructure penetration testing ๐
I did a search in a search engine for “Nessus HTTP cookie import”, and found that Tenable discussed this on their podcast, episode 14:
http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast—episode-14.html
If you look at the “Stories” note on the above web page, there’s a hint to use the “Export Cookies” Firefox add-on. The add-on has some guidance, but essentially:
NOTE: I’m still trying this now, but thought I’d post the possibility anyway in case I forget – I will update this thread with a confirm or deny shortly.
Best of luck!
UPDATE: Well, it didn’t work for me on first attempt. I’m confirming I don’t have any conflicting or superseding settings in the policy, but if that doesn’t work it’s on to Tenable Support, I fear…