Unauthenticated scans and CMS vulnerabilities

Reddl · December 23, 2019, 12:44pm

Hi,
When scanning a web site with an Unauthenticated scan, with no credentials i all mostly get a result 0.0 some times 2.6 (Vulnerabilities in TCP Timestamps) - , the question is how such scans are informative? how vulnerabilities are revealed when we do an Unauthenticated scan? Can we for example with an Unauthenticated scan identify Drupal vulnerabilities in webforms?

cfi · December 23, 2019, 1:27pm

Unfortunately this question is too generically asked to give a specific answer because this highly depends on the target you are scanning and the vulnerability you are looking for.

But basically GVM can find vulnerabilities in a CMS if they are public known (e.g. via a vendor advisory or a report of a security researcher) and a VT for it exists.

A few additional notes:

GVM is not a Web Application Scanner (WAS) so it can’t find unknown vulnerabilities in a web application like Drupal if no such advisory / report exists.
Specific to Drupal the VTs have a lower QoD if the target is a Linux System due to Drupal being shipped in various Linux Distributions which are doing security backports without changing the exposed versions. This might require that you need to lower the QoD value within your GVM filters. More about this topic can be found at https://docs.greenbone.net/GSM-Manual/gos-6/en/glossary.html#quality-of-detection-qod
The results depends on your used port list as well.

Reddl · December 24, 2019, 5:00am

Thanks. I’m l trying to get any vulnerabilities in the result as i said i always get a “good” result with no cve found. For example i want to detect vulnerabilities in drupal plugins.
For example a tool Droopescan can detect plugin/modules in different CMS Drupal, wordpess, but it doesn’t show vulnerabilities, so i wan to understand can i get something with an Unauthenticated scan…
I tried to set QoD to 70%, 80, 95 but the result is still 0.0.
The port list used was: Nmap 5.51 top 2000 TCP and top 100 UDP

Lukas · December 24, 2019, 7:58am

Please note i would do a authenticated scan fist to get much more results. It is very hard to guess a plugin from remote. As well a QoD Value is key as CFI already mentioned. You need to lower it e.g. 40% or 0%.

Please read in our documentation about the QoD and how does this impact you scan results.

https://docs.greenbone.net/GSM-Manual/gos-6/en/glossary.html#quality-of-detection-qod

cfi · December 29, 2019, 1:32pm

From a short search i don’t see any coverage for Drupal plugin vulnerabilities in the Feed. Are you looking for a specific vulnerability?

70% is the default so depending on the target you need to set a QoD to 30% or even lower. Note that this brings in false positives in your report for the reason explained in Unauthenticated scans and CMS vulnerabilities - #2 by cfi - Greenbone Professional Edition - Greenbone Community Forum.

Also check if your report is including the detection of the specific CMS like Drupal or Wordpress at all by changing the report filter to include “Log level” / 0.0 items.