How to scan a specific FQDN and not the IP or other websites on the same Web server

greendog · February 15, 2021, 7:20pm

Looking to run a scan against a web server but I only have permission to scan against the FQDN of the hosted website and not another other websites hosted on the same server.

I cloned the “full and fast” scan config and set the expand_vhosts parameter to 0. This stops it finding another other hosts.

The results from the scan all point to the IP of the host. It’s like it didn’t scan the FQDN but rather used the IP found from the DNS lookup.

I tested on another test server a set expand_vhosts back to 1. This does scan the FQDN acording to the report but also scans the IP and all the other FQDNs it found in the SSL cert.

Is there anyway to get it to only scan the FQDN and nothing else?

Thank you

greendog · February 16, 2021, 11:20am

ok, I could not get FQDN scanning to work so I got permission to scan the full host out of hours (expand_vhosts 1) which includes the FQDN data in the report.

However now I have a new problem with the exported report (sorry!)

I have exported it to a text file and filtered out all except the FQDN. However the report looks odd compared to reports of old v10 & v11. There are 1000’s of results about EOL jquery found at URLs that do not exist:

NVT: jQuery End of Life (EOL) Detection (Windows)
OID: 1.3.6.1.4.1.25623.1.0.117148
Threat: High (CVSS: 10.0)
Port: 443/tcp
The “jQuery” version on the remote host has reached the end of life.
CPE: cpe:/a:jquery:jquery:2.1.1
Installed version: 2.1.1
Location/URL: https://FQDN/assets/site_resources <- this is a 404 URL

NVT: jQuery End of Life (EOL) Detection (Windows)
OID: 1.3.6.1.4.1.25623.1.0.117148
Threat: High (CVSS: 10.0)
Port: 443/tcp
The “jQuery” version on the remote host has reached the end of life.
CPE: cpe:/a:jquery:jquery:1.3.2
Installed version: 1.3.2
Location/URL: https://FQDN/login/https://ajax.microsoft.com/aj!ax/jquery <- this is a 404 URL

NVT: jQuery End of Life (EOL) Detection (Windows)
OID: 1.3.6.1.4.1.25623.1.0.117148
Threat: High (CVSS: 10.0)
Port: 443/tcp
The “jQuery” version on the remote host has reached the end of life.
CPE: cpe:/a:jquery:jquery:1.6.2
Installed version: 1.6.2
Location/URL: https://FQDN/test/https://ajax.aspnetcdn.com/aja! <- this is a 404 URL

Lots more URLs found with this same type of issue but the URLs do not exist. I assume these are false positives and perhaps a bug with “OID 1.3.6.1.4.1.25623.1.0.117148”?

There is also one other odd result that may be a false positive:
CKEditor 4.0 < 4.16 Multiple ReDoS Vulnerabilities
Installed version: 4.5.4
Fixed version: 4.16
Installation
path / port: /ckeditor <- this URL https://FQDN/ckeditor does not exist.

I’m using GVM 20.08.0 via CentOS 8 Stream

bricks · February 17, 2021, 6:56am

To give you some insights about your first questions. Our software is not (only) a web application scanner. It is a network vulnerability scanner and management tool. Therefore if you scan a host by the FQDN it will scan the complete machine where this FQDN points to. If you just need to scan a web application you maybe need to look at a different tool.