Home > Nessus-Vulnerability-Scanner > How to Scan Websites Using Nessus

Website Vulnerability Scanning Using Nessus

Purpose

This article provides step-by-step instructions to perform authenticated and unauthenticated vulnerability scans on web applications using Nessus. It also covers enabling required plugins and applying rate limits to avoid impacting production systems.

Prerequisites

• Nessus Essentials / Professional / Tenable.sc / Tenable.io
• Valid credentials for the target website (if authenticated scan is required)
• Target website URL or server IP
• Approved maintenance window (recommended)

Scope

This procedure scans only the approved website or web server. It must not be used to scan systems outside the authorized scope.

Steps

1. Create a New Scan
   1. Log in to Nessus.
   2. Click New Scan → select Advanced Scan.
   3. Enter a suitable name and description.
   4. Under the Targets field, enter:
      • Website FQDN (e.g., https://portal.example.com)
      • Server IP (if required)
2. Enable All Relevant Plugins
   1. Go to the Plugins tab.
   2. Ensure all plugins are enabled.
   3. Verify the following plugin families remain enabled:
      • Web Servers
      • Web Application Vulnerabilities
      • SSL/TLS Configuration Checks
      • CGI Abuses
      • Authentication Checks
3. Configure Authentication

   Nessus provides several credential categories. Use the appropriate one depending on the authentication method required by the application:

   • Cloud Services
   • API Gateway
   • Database
   • Host
   • Miscellaneous
   • Plaintext Authentication

   Steps to Add Web Authentication:

   1. Go to Credentials.
   2. Select appropriate method:
      • Host → HTTP/HTTPS Credentials for basic site authentication
      • Miscellaneous → HTTP Headers for session cookies or tokens
   3. Enter required fields:
      • Username
      • Password
      • Domain (if applicable)
      • Cookie or header name/value (for token-based / session-based login)
   4. Save the authentication configuration.

   Notes:

   • Nessus does not support full form-based login automation like Burp Suite.
   • Use session cookies or tokens for authenticated scans.
   • For OAuth/Bearer tokens, insert the token under Miscellaneous → HTTP Headers.
   • Use API Gateway credentials when scanning API endpoints with authentication.
4. Apply Rate Throttling (To Prevent Overloading Servers)

   Navigate to Settings → Advanced and configure the following recommended limits:

   • Max concurrent checks per host: 1
   • Max concurrent hosts: 1
   • Network receive timeout: 5 seconds
   • Max time per host: 1 hour (adjust based on environment)

   These settings help ensure low-impact scanning on production websites.

5. Limit the Scan to the Website Only
   1. Go to Settings → Discovery → Host Discovery and disable:
      • ARP Ping
      • ICMP Ping
      • Reverse DNS Lookups
   2. Go to Advanced → Enable "Avoid scanning unreachable hosts".
   3. Ensure only the intended FQDN/IP is included in the Targets list.
6. Start the Scan
   1. Review all settings.
   2. Click Launch.
   3. Monitor scan progress in real time.
7. Review and Export Report
   1. Open the scan report.
   2. Filter vulnerabilities by:
      • Critical
      • High
      • Medium
      • Low
   3. Export results as:
      • PDF
      • CSV

Best Practices

• Always use an approved testing window when scanning production systems.
• Prefer authenticated scans for deeper insight into vulnerabilities.
• Ensure authentication tokens/cookies are valid before starting a scan.
• Always update Nessus plugins before scanning.

References

• Tenable Nessus Documentation: https://docs.tenable.com/nessus