http://testphp.vulnweb.com/ looks like a custom written PHP application / web shop for testing web application scanners (WAS) like Acunetix.
Doing web application scanning for such unknown web applications is not the scope of GVM so i would try to choose a more adequate target for your test like e.g.: Metasploitable download | SourceForge.net
But if your GVM setup is working and the scanner was able to reach the target a few results / vulnerabilities might show up if you e.g. update the filter of your report to show results with a lower QoD value < 70% like explained here:
What intrigues me the most is that it is not only on a website that this behavior occurs. I’m performing a pentest on a SaaS web platform, but the same problem occurs, the Scan takes a few minutes and ends.
Is it not able to access the website server?
I practically use https://en.ipshu.com/ to look up the direct IP.
After that, I go to OpenVas > Scan > Task > New Task > New Target I add the Ip directly there, but without changing the QoD, I just leave it at 70%
I question this behavior as it seems ineffective, because I’ve tested other scanners and the results were different, (positive for vulnerabilities)
If you can help me with this, I would be very grateful!
Without having any knowledge on the web app(s) or other scanner(s) some notes:
The web app(s) are custom ones which might require a different kind of scanner (WAS like previously described) then GVM
Vulnerability test coverage for the web app(s) are only part of the enterprise feed
There is no vulnerability test coverage for the web app(s) at all
The results of the other scanner(s) are false positive (if they haven’t been evaluated / confirmed manually)
Other environmental issues (e.g. setup issues of GVM, not up2date feed, networking issues, …)
The “log” level results of the scan in question could also give some info if / which products got detected. If there are no specific products like e.g. a Web Server detected there also won’t be much vulnerability results in the report).
So maybe OpenVas wouldn’t be a suitable program for scanning web applications?
My comparison is for example with Nessus. I performed the same scan with him, and several vulnerable points were found that I was already expected to find.
About the updated feed, yes, I’m updating daily. Only point is that the GVMD_DATA is up to date, but with the message of “Too old Please check …” but when searching about it here on the forum, I saw other people with the same problem, where it’s actually not a problem, this is the latest version of himself my versions:
GVMD_DATA: 20220128T1556
CERT: 20220301T0130
SCAP: 20220304T0230
NVT: 20220302T1104
Unfortunately it is not possible to answer this question without knowing which vulnerabilities exists / have been found or which products are installed on the target(s) in question.
A few rule of thumbs:
If there are only few or no known products detected for the target(s) in question (e.g. in the “8” Log entries in the first screenshot) no vulnerabilities can’t be reported because for most products related detections needs to detect the product first.
You can check in the SecInfo → NVTs part of your GSA web interface within the “Product detection” family if the product in question is having a detection at all which would be a prerequisite for a vulnerability reporting. A related filter for such a search in the Filter input box could be something like e.g. ~myproductname and family="Product detection"
This looks good
Note that there might be still unknown vectors (e.g. networking / environmental issues) which could prevent a detection.
