As I understand, Greenbone can’t scan a specific URL. Can you explain the rational behind it?
I can scan hostip.com and a web app there gets scanned. But hostip.cam/webapp/ won’t be scanned, so I never now if it’s save. This seems to arbitrarily reduce utility of the greenbone scan and I wonder why?
Also, if I give greenbone a subdomain like subdomain.domain.cam greenbone seems to also scan other subdomains of the same domain. How does this work and how can I assure only the subdomain.domain.cam will get scanned?
Because our software is not web application or http scanner. Our software scans hosts. Hosts are either specified by a domain name or IP address.
A URL consists of more parts beside a host. When your browser connects to a HTTP server it uses the host in the URL to resolve the IP address of the HTTP server. The browser sends a HTTP request to the server including the full URL. The HTTP server then decides which content to return depending on the URL of in the request (and additional parameters of the request). Different URLs can also point to the same host.
Thus a web application scanner acts on a different layer (HTTP) then our software (mostly Internet Protocol). Our software scans hosts (some device with an IP address) for possible vulnerabilities and not HTTP URLs.
The scope of the scanner (or better of the NASL scripts used by it) is currently to find “known vulnerabilities in known software” (e.g. defined by CVEs, vendor advisories about vulnerabilities and similar).
Detection of “unknown” / not published vulnerabilities in unknown software (e.g. a custom web application existing on /webapp) is currently outside of the scope and would require a previously mentioned HTTP / Web Application Scanner.
There are still HTTP based checks done for “known vulnerabilities in known software” if there is a software like e.g. WordPress installed on /webapp.
For such cases and if /webapp wasn’t detected the additional directory could be added to the following scanner preferences (see GSM Manual for more info) within the used scan config (description from man openvas):
By default, openvas looks for default CGIs in /cgi-bin and /scripts. You may change these to something else to reflect the policy of your site. The syntax of this option is the same as the
shell $PATH variable: path1:path2:...
As an additional reference something similar had been also discussed in the scope of API scanning capabilities here: