For those of you who are new to these things, NASL stands for Nessus Attack Scripting Language. NASL is part of the closed-source Nessus vulnerability scanner and its open-source form called OpenVAS (Open Vulnerability Assessment System).

Beautiful Blue Beetle

Nessus plays big part in the hearts of many administrators, security consultants and scanning vendors. Nessus practically was the first stable and well maintained open-source security scanner until they closed the source.

So, what about NASL? My point is that we don’t need it. Recently I had to work with OpenVas and Nessus in order to automate some trivial penetration testing practices. I’ve worked with both and I got fed up with NASL. I still cannot understand why on earth we need yet another general purpose scripting language which looks like some kind of a hybrid between PHP, C and JavaScript.

Anyway, so since version 3 Nessus is closed source. Now we have OpenVAS, a 2.x fork of Nessus. The project is coming nice but still far from begin good enough for environments where stability is a must. At some point I decided to contribute since I am particularly interested in haviong a free Nessus clone with a good community behind it. As soon as I started putting down some code I realized that this is not what I want. Nessus’ code seems undeservingly complicated.

In reality I do not need Nessus neither NASL. All I need are the tests. I believe that everybody feels the same. Perhaps the whole OpenVAS project should concentrate on writing the tests and let the user choose the engine. In my case Nessus was not a good engine due to license limitations. OpenVAS was not a good fit as well because of stability reasons. I am stuck!

It occurred to me that because NASL is very close in syntax to PHP, JavaScript and C, it will be actually easy to rewrite the scripts in a more suitable language that has a better community around it. Of course everything needs to be done in an automatic fashion because I hardly doubt that anyone have the personal time to sit and rewrite boring NASL scripts, unless he is paid good money for. This is not how things work in the open-source world though.

IMHO, the rewrite of these scripts can be achieved with some simple regex replacements. The testing engine can be easily composed of drag-and-drop JAR components, i.e. the whole things will run on the top of Java for portability reasons. I think that this might turn into much better framework which actually encourages people to put contributions.

Unfortunately, I do not have the time to start such a project although I will most certainly contribute. I hope that someone is willing to take on the challenge. Any takers?