How to add custom HTTP headers for each scan task in OpenVAS 22.04?

Hi everyone,

I’m integrating OpenVAS scanner into my web application and need some help with customizing HTTP headers for scan tasks.

Current Setup:

  • Using latest OpenVAS (version 22.04+)
  • Only integrated openvas-scanner and ospd-openvas components
  • Successfully implemented scan functionality using start_scan and get_scans commands
  • My application is a web service that provides APIs for external clients

Requirements:

  1. Need to add custom HTTP headers to ALL HTTP requests sent by OpenVAS during vulnerability scanning
  2. Headers are passed as parameters when external clients call my web API

Questions:

  1. What’s the recommended way to implement this in the latest version of OpenVAS?
  2. Is it possible to use Knowledge Base (KB) to pass custom headers to NVT scripts?
  3. Are there any existing implementations or examples that I can refer to?

Any suggestions or guidance would be greatly appreciated!

I thought this was an interesting question, so I looked into how this could be possible. This is my opinion on your goal, but if others can weigh in with more experienced information then you may be better informed. Obviously not all VTs are HTTP so I will assume you mean HTTP-based VTs - not scan tasks.

Adding custom headers could be hard to universally accomplish on the VT level such as within NASL because VTs do not have a universal method for making HTTP requests. They use an variety of related functions. Most of those functions are imported to the VT via the http_func.inc file which includes:

  • http_send_recv()
  • http_get_remote_headers()
  • http_get()
  • http_open_socket()
  • http_get_req() // Which has a parameter to add custom headers but is not used by all VTs

As I said above, there is no single method that could be modified to add custom headers. To do it this way, you would have to audit and modify so many NASL files.

Also, while these all have one thing in common, they are passed to the NASL send() function, but this handles a raw socket for all protocols not only HTTP so it cannot be easily modified in this way. In the end, I BELIEVE it links back to gnutls_handshake() in openvas-scanner here.

Another possible way may be to pass all OpenVAS traffic through a content proxy that can modify only HTTP requests and then add your custom header. Of course this would need to handle HTTPS layer as well. OpenVAS uses gnutls functions which accept a list of CAs (cafile) to determine cert verification to complete the handshake. You would have to add your content proxy’s root certificate to that, which I believe is stored in the PostgreSQL database and loaded to Redis.

Anyway, this is just what I could determine from a brief investigation. Maybe this information would get you started, but unfortunately it is far from an exact answer - only a contribution to the community. :slight_smile:

1 Like

Only a few additional remarks:

  • http_get() is a scanner internal function which is the “main” function to create HTTP requests and would require changes to the scanner code base (This probably will unlikely happen from Greenbone side and you would need to do own research and modifications)
  • Any modifications to sent out requests could cause e.g. a missing detection of a vulnerability (if e.g. a target is dropping requests if an unexpected HTTP header is received)

thus i would suggest to re-think this approach and solve it differently without the requirement to modify the requests.

2 Likes