How to set the HTTP User-Agent for all NVTs globally (Wordpress)?

Plusserver · June 17, 2020, 2:05pm

Greenbone Vulnerability Manager 9.0.1
OpenVAS 7.0.1
gvm-libs 11.0.1
Greenbone Security Assistant 9.0.1
OSP Server for openvas: 1.0.1
OSP: 1.2
OSPd: 2.0.1
NVT Feed Version: 202006160941

We have to scan a Wordpress Website which is protected by a WAF. This WAF prohibits some user agents. The user agent openvas is also affected. So we need to set another user agents globally to bypass the WAF.

I created a basic scan config and set “HTTP User-Agent” within " Network Vulnerability Test Preferences". I have choosen “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36” and started the scan.

Unfortunately the user agent is only set for some urls, but not by the Wordpress NVTs (WordPress Detection (HTTP) / 1.3.6.1.4.1.25623.1.0.900182).

<-------------------------------------------------------------------------------------------------------------------------------->
$ grep Chrome /var/log/apache2/*
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /JkDg7gPQ.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET /OpenVAS-VT1457800486.html HTTP/1.1” 404 452 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:14:52:57 +0200] “GET / HTTP/1.1” 200 36212
<-------------------------------------------------------------------------------------------------------------------------------->

The Wordpress NVTs still uses the standard user agent:

<-------------------------------------------------------------------------------------------------------------------------------->
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-links-opml.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
/var/log/apache2/access.log:172.30.0.3 - - [17/Jun/2020:15:21:33 +0200] “GET /wordpress-mu/wp-login.php HTTP/1.1” 403 491 “-” “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)”
<-------------------------------------------------------------------------------------------------------------------------------->

- How can we override “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” ?
- Were is “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 11.0.1)” configured?

_ad · June 24, 2020, 1:21pm

Hi there,

I can’t provide any details or insights on why this is happening - since this issue is probably more scanner/GVM-related - but as a workaround I could change the method inside the detection that generates the HTTP request, so the User Agent shouldn’t be overwritten.

Cheers,
Ad

Plusserver · July 6, 2020, 9:00am

Hi Ad,

thanks for your reply. Can you give me an estimate on when this workaround will be implemented?

Thanks

_ad · July 6, 2020, 9:40am

Hi,

are you still facing this issue? The supposed fix has been implemented for a week now.

Cheers,
Ad

cfi · July 9, 2020, 10:59am

Note that this “fix” only applies to this specific Wordpress Detection-VT. A “full” fix for every VT to use the user configured User-Agent is only possible from GVM side.