Installation guide
77
“non-attack” variations for additional parameters. For example, Nessus would attempt
“/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without
testing each combination. This is the quickest method of testing with the smallest
result set generated.
some pairs – Like “all pairs” testing, this will try to test a representative data set based
on the “All-pairs” method. However, for each parameter discovered, Nessus will only
test using a maximum of three valid input variables.
all pairs (slower but efficient) – This form of testing is slightly slower but more
efficient than the “one value” test. While testing multiple parameters, it will test an
attack string, variations for a single variable, and then use the first value for all other
variables. For example, Nessus would attempt “/test.php?a=XSS&b=1&c=1&d=1”
and then cycle through the variables so that one is given the attack string, one is
cycled through all possible values (as discovered during the mirror process) and any
other variables are given the first value. In this case, Nessus would never test for
“/test.php?a=XSS&b=3&c=3&d=3” when the first value of each variable is “1”.
some combinations – Like “all combinations” testing, this will perform tests using a
combination of attack strings and valid input. However, for each parameter discovered,
Nessus will only test using a maximum of three valid input variables.
all combinations (extremely slow) – This method of testing will do a fully exhaustive
test of all possible combinations of attack strings with valid input to variables. Where
“All-pairs” testing seeks to create a smaller data set as a tradeoff for speed, “all
combinations” makes no compromise on time and uses a complete data set of tests.
This testing method may take a long time to complete.
HTTP Parameter Pollution
When performing web application tests, attempt to bypass any filtering mechanisms by
injecting content into a variable while supplying the same variable with valid content as
well. For example, a normal SQL injection test may look like
“/target.cgi?a='&b=2”. With HTTP Parameter Pollution (HPP) enabled, the
request may look like “/target.cgi?a='&a=1&b=2”.
Stop at first flaw
This option determines when a new flaw is targeted. The drop-down has four options:
per CGI (default) – As soon as a flaw is found on a CGI by a script, Nessus switches
to the next known CGI on the same server, or if there is no other CGI, to the next
port/server.
per port (quicker) – As soon as a flaw is found on a web server by a script, Nessus
stops and switches to another web server on a different port. This applies at the script
level; finding an XSS flaw will not disable searching for SQL injection or header
injection, but you will have at most one report for each type on a given port.
per parameter (slow) – As soon as one flaw is found in a parameter of a CGI, Nessus
stops and switches to the next parameter of the same script.
look for all flaws (slower) – Perform extensive tests regardless of flaws found. This
option can take a long time and is not recommend in most cases.
Test embedded web
servers
Embedded web servers are often static and contain no customizable CGI scripts. In
addition, embedded web servers may be prone to crash or become non-responsive
when scanned. Tenable recommends scanning embedded web servers separately
from other web servers using this option.