Perform the following steps:
- Open the Nessus Web Client.
- Log in to the Nessus Web Client with the user details created during installation.
- Navigate to the Policies page and Create a new policy by selecting the web application tests scan template.
- Fill in the name of the policy and navigate to the credentials:
- Select HTTP authentication and fill in the remaining parameters according to the application to be audited:
There are multiple parameters to be filled in for this authentication form, such as Username, Password, path to Login page, path to Login Submission page, Login parameters, path to Check authentication on page, and Regex to verify successful authentication. Most of these could be obtained by spending a couple of minutes observing the workings of the application and the request it sends to the server from the browser console:
- Save the policy and navigate to the Scans page to create a new scan.
- Navigate to the User Define policies to find the Web Application audit policy file:
- Select the appropriate policy and fill in the details such as Name, Description, and Targets. You can simply enter the IP address or the domain name of the host, without any prefix or suffix path:
- Launch the scan and wait for it to complete.
- Once the scan is complete, open it to see the following info:
- Navigate to the Vulnerabilities tab to check the reported observations:
Each vulnerability consists of the following sections, along with other plugin details, to help you understand the vulnerability, as follows:
- Description
- Solution
- See also
- Output
- Port
- Hosts
