How to set the HTTP User-Agent for all NVTs globally (Wordpress)?

Greenbone Vulnerability Manager 9.0.1
OpenVAS 7.0.1
gvm-libs 11.0.1
Greenbone Security Assistant 9.0.1
OSP Server for openvas: 1.0.1
OSP: 1.2
OSPd: 2.0.1
NVT Feed Version: 202006160941

We have to scan a Wordpress Website which is protected by a WAF. This WAF prohibits some user agents. The user agent openvas is also affected. So we need to set another user agents globally to bypass the WAF.

I created a basic scan config and set “HTTP User-Agent” within " Network Vulnerability Test Preferences". I have choosen “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36” and started the scan.

Unfortunately the user agent is only set for some urls, but not by the Wordpress NVTs (WordPress Detection (HTTP) / 1.3.6.1.4.1.25623.1.0.900182).

<-------------------------------------------------------------------------------------------------------------------------------->
$ grep Chrome /var/log/apache2/*
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /JkDg7gPQ.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /OpenVAS-VT1457800486.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET / HTTP/1.1” 200 36212
<-------------------------------------------------------------------------------------------------------------------------------->

The Wordpress NVTs still uses the standard user agent:

<-------------------------------------------------------------------------------------------------------------------------------->
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-links-opml.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
<-------------------------------------------------------------------------------------------------------------------------------->

- How can we override “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” ?
- Were is “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” configured?

Hi there,

I can’t provide any details or insights on why this is happening - since this issue is probably more scanner/GVM-related - but as a workaround I could change the method inside the detection that generates the HTTP request, so the User Agent shouldn’t be overwritten.

Cheers,
Ad

1 Like

Hi Ad,

thanks for your reply. Can you give me an estimate on when this workaround will be implemented?

Thanks

Hi,

are you still facing this issue? The supposed fix has been implemented for a week now.

Cheers,
Ad