Web Application Scanning in Tenable Nessus

Web application scanning (WAS) is available in Tenable Nessus Expert. Web application scanning in Tenable Nessus allows you to scan and address web application vulnerabilities that Tenable Nessus scanners, Tenable Agents, or Tenable Network Monitor cannot scan.

Note: The following platforms do not support web application scanning in Tenable Nessus:

  • Any host system that does not support Docker

  • Any host that uses an ARM-based processor (for example, AArch64 Linux distributions and Apple Silicon systems)

For more information about Docker support on virtualized hosts, see the Docker documentation.

Note: Tenable Nessus Expert only allows one concurrent web application scan at a time.

Licensing

If you license web application scanning in Tenable Nessus Expert, you can scan up to five different web application URLs per 90 days.

Tenable Nessus uses only the hostname and port (FQDN:port) to track against WAS licenses instead of the full URL. For example, all of the following targets count for a single license FQDN:

  • https://example.com/welcome

  • https://example.com/welcome/get-started

  • https://example.com/welcome/get-started/create-new-user

If you do not perform a web application scan on a target URL for 90 days, Tenable Nessus removes the URL from your license and it no longer counts towards your URL limit. You cannot delete web application scan data to remove the URL from your license.

You can purchase additional URLs by contacting your Tenable representative.

Prerequisites

Before you enable web application scanning in Tenable Nessus Expert, you must install Docker version 20.0.0 or later on your Tenable Nessus host. Tenable Nessus Expert only supports Dock installations that follow the Docker install documentation.

Enable web application scanning

  1. Under Resources in the left-side navigation pane, click Web App Scanning.

    The Web Application Scanning (WAS) page appears. The WAS requirements and information section shows whether Docker is installed on your Tenable Nessus host, the Docker version, whether web application scanning is downloaded on your Tenable Nessus host, and the current web application scanning plugin set.

  2. Select the Enable Web Application Scanning checkbox.

  3. Click Save.

    Tenable Nessus starts to download the latest web application scanning image.

    Once the web application scanning download completes, the WAS requirements and information section indicates that web application scanning is downloaded (as shown in the following image). You can now view Web App scan templates in the Tenable Nessus scanning user interface and perform web application scans.

    Tip: With web application scanning installed, you can click next to the WAS Image Last Checked field to update Tenable Nessus with the latest Tenable Web App Scanning version.

    For more information on how to install Tenable Nessus Expert and web application scanning, see the following video: Web App Scanning in Nessus Expert 10.6.

Web application scanning in offline mode

You can still perform web application scanning when Tenable Nessus is in offline mode.

After you perform the Enable web application scanning in Tenable Nessus steps, Tenable Nessus will not be able to automatically download the latest web application scanning image if it is in offline mode. Instead, you can upload the image manually using the following steps:

To upload the image manually and enable web application scanning in offline mode:

  1. Find and save the Tenable web application scanning image as a tarball file in the Tenable Docker hub. For more information, see the Docker image save documentation.

  2. Do one of the following:

    • To upload the image in the Tenable Nessus user interface:

      1. Navigate to the Web Application Scanning page in Tenable Nessus.

      2. Click Upload WAS Image upper-right corner.

        The file explorer opens.

      3. Select the saved web application tarball file.

        Tenable Nessus begins downloading the tarball file. Once the download completes, you can proceed to scan with a web application scanning template.

    • To upload the image from nessuscli:

      1. From nessuscli, enter the following command:

        nessuscli --upload-was <path to tarball image>

        Tenable Nessus begins downloading the tarball file. Once the command finishes running, you can proceed to scan with a web application scanning template.

What to do next: