All- I have Nessus 2.2.10 running on a Linux distro, with the registered feed. I'm updating my plugins whenever I need to complete an internal vulnerability scan.
Upon further inspection, I have noticed that Nessus isn't discovering XSS vulnerabilities as XSS but labeling them CGI discovery notices? I'm confused... Let me explain: On a monthly basis we receive vulnerability scans from a third party (Trust Wave), for our PCI Compliance. Some of your may be aware, the requirements have changed, and thus we received a (preview) scan with the updated requirements. As such I loaded my Nessus, ran a scan on the same servers, and discovered some issues, BUT not the issues they discovered namely XSS on an apache map database server. My question is, am I missing something from Nessus (configuration setting or plugin) that is not allowing me to discover XSS issues in my apache web servers? I have done extensive research into many plugins and have most, if not all of them loaded, I have mucked with the scanning options, turning on all *malicious, or experimental setting with still no luck.. I'm just looking for Nessus to output the same results as those received. I am not looking for the same wording, just the same score (CVS# or CVSS2#) and vulnerabilities discovered. (We are planning on upgrading Nessus to the latest version with a new box, and obtaining the direct feed within the next month, but would like this resolved it possible before that) Any help would be appreciated! Thanks Christopher _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
