Greenbone Vulnerability Manager 9.0.1
OpenVAS 7.0.1
gvm-libs 11.0.1
Greenbone Security Assistant 9.0.1
OSP Server for openvas: 1.0.1
OSP: 1.2
OSPd: 2.0.1
NVT Feed Version: 202006160941
We have to scan a Wordpress Website which is protected by a WAF. This WAF prohibits some user agents. The user agent openvas is also affected. So we need to set another user agents globally to bypass the WAF.
I created a basic scan config and set “HTTP User-Agent” within " Network Vulnerability Test Preferences". I have choosen “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36” and started the scan.
Unfortunately the user agent is only set for some urls, but not by the Wordpress NVTs (WordPress Detection (HTTP) / 1.3.6.1.4.1.25623.1.0.900182).
<-------------------------------------------------------------------------------------------------------------------------------->
$ grep Chrome /var/log/apache2/*
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /JkDg7gPQ.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /OpenVAS-VT1457800486.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET / HTTP/1.1” 200 36212
<-------------------------------------------------------------------------------------------------------------------------------->
The Wordpress NVTs still uses the standard user agent:
<-------------------------------------------------------------------------------------------------------------------------------->
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-links-opml.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
<-------------------------------------------------------------------------------------------------------------------------------->
- How can we override “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” ?
- Were is “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” configured?