"Web Application Abuse" Family in the "Full and Fast" Scan Policy

Hi Greenbone Community,

I have a couple of questions regarding the “Web Application Abuse” NVT family within the “Full and Fast” scan policy.

1. Is the “Web Application Abuse” family necessary for unauthenticated scans?

I recently ran two unauthenticated scans:

  • Scan 1: With the “Web Application Abuse” family enabled.
  • Scan 2: Without the “Web Application Abuse” family enabled.

Upon comparing the results, I noticed only a slight difference—just 2-3 additional HTTP NVTs were identified when the family was enabled. However, there was a significant reduction in scan time when the family was excluded—almost a 50% improvement (which is actually desired).

Given this observation, I’m wondering if this NVT family is essential for unauthenticated scans. My assumption is that most NVTs in this family require credentialed access to identify vulnerabilities effectively, but I’d like to confirm if this is accurate.

2. Is the “Web Application Abuse” family relevant for laptop/desktop scans?

If the scan target is limited to laptops and desktops, would it make sense to include this NVT family? From what I understand, this family seems more relevant to web application vulnerabilities, which might not typically be associated with standard laptops or desktops.

Is there any scenario where this family could provide meaningful results when scanning laptops/desktops, or would it be safe to exclude it in such cases?

I’d greatly appreciate insights from anyone with experience or knowledge regarding these questions. Thank you in advance for your time and help!

Hi!

  1. Yes, the “Web application abuses” family is very much recommended for unauthenticated scans. A lot of those checks actually do some kind of active check (trying to actively confirm a vulnerability with all kinds of HTTP(s) requests). However there are as well simple version checks which will get missed if not activated. The higher scan time is very much expected as it will first try to map the web application trying different ways to get information from the server which will be used in later checks. Depending on the web server this can take quite some time.

  2. This depends on your environment. Some desktop/laptop based software still populate some kind of web server which might get missed if the family is not enabled. However if you want to take the risk or you are sure that no unknown web service is running (or is firewalled etc.) you can of course decide to leave those checks out.

So to summarize: Just a few checks in the “Web application abuses” family need authentication and those will state it in the report. The family has some web spidering/mapping functionality, hence the longer scan time. Any tuning of the scan config depends on your environment/needs/risk assessment which needs to be decided by you.

Hope this helps.
Christian

2 Likes

Thanks a lot for the clarification @ckuerste!