Understanding Workflows

The goal of this tutorial is to introduce Venari workflows as a concept. The secondary goal is to record a login workflow and configure a job template to use that workflow for logging in to Web Goat.

If you prefer a short video tutorial then check here: Recording a Login Workflow with Venari

In most cases the Venari Auto-Login engine can heuristically determine the browser action stream needed to perform a login, using only the start URL and the credentials from a job template. For cases where auto-login fails, users can create a login workflow in the Venari UI and pair that workflow with a job template. The steps below describe the exact sequence of UI interactions needed to record such a workflow. In addition to detailing specific user actions, the sections below will share details and concepts about how workflow processing works in Venari.

• Workflow Concepts
• Create Application
• Start Recording
• Selecting Page Elements
• Stop Recording
• Test Workflow
• Use the Workflow in a Job Template
• Multi-Page Logins

Workflow Concepts

Workflows are a foundational part of the Venari analysis architecture. A workflow is a sequence of browser actions that cause the web application state to change. Internally, Venari represents workflows as hierarchical data. The Venari UI shows workflows as YAML text. The workflows are editable using the Venari UI or the Assert Security Editor extension for VS Code.

Some examples of workflows include:

• Logging In

  • Navigate to a specific URL
  • Click a button labeled 'Sign In' (the DOM changes and a form appears)
  • Click a text input labeled 'User'
  • Type in a username
  • Click a text input labeled 'Password'
  • Type in a password
  • Click a button labeled 'sign in' (browser navigates to landing page)

• Add an item to a Shopping Cart

  • Navigate to a specific URL
  • Click a category link (like 'Electronics')
  • Click a specific item (like 'USB thumb drive')
  • Click an 'Add to Cart' button
  • Click a 'Checkout' button
  • Click through a sequence of form inputs and submit the order

• Create a new User Account

  • Navigate to a user management URL
  • Click the 'Add New User' button
  • Click through form elements to provide user data
  • Click a 'Save' button
    

All of these examples describe a sequence of user inputs. Once these action streams are recorded as workflows, they can be replayed automatically by the Venari browser driver. Some of these actions require data inputs and the Venari engine supports parameterized inputs.

The image below shows a recorded workflow that will login to the Web Goat application. This tutorial will demonstrate how to create this workflow data using the recorder tool and onboard it into a job template.

Create Application

Create an application with a name so that we can add a login workflow and save it in the application. If you want to follow these steps for Web Goat you can download the docker image from docker hub.

Pull the image using the command below:

docker pull webgoat/webgoat-8.0

Run the container using the command below:

docker run  -p 8080:8080 -it --rm --name webgoat webgoat/webgoat-8.0

Browse to the running application at http://localhost:8080/WebGoat and register a user. The examples in this tutorial show a user 'joeblow' and a password of 'abc123' There is nothing special about those credentials and we show these values here just to reconcile the screen shots and parameter information to follow later.

Start Recording

Click the Application on the home screen

Click the 'Automation' tab

Click the 'Record' button

Type in a name for the Workflow

Click 'OK'

A browser will pop up. Type in the target URL and press the enter key.

The browser will navigate to the specified URL.

Selecting Page Elements

The next steps are to 'train' the workflow recorder to capture the correct sequence of page elements. The workflow recorder is not capturing events or HTTP traffic. Instead, the recorder captures the visual targets of interaction in the order they need to be visited or clicked during the login.

Specifically, we will perform the following actions to capture the data needed by the workflow engine.

1. Select the 'Username' input element
2. Select the 'Password' input element
3. Select the 'Sign In' button
4. Close the browser

That's it. The recorder will look at the relevant DOM information to encode the visual targets so that they can be identified and selected when the workflow is executed later.

*** IMPORTANT ***

There is a little keyboard magic required to select the visual inputs. The browser has a special selection mode for picking page elements. The trick goes like this:

NOTE: The instructions below refer to the ALT key in many places. For MacOS, use the Option key.

1. Press the ALT key (you will notice that moving the mouse around the page now shows rulers and special markers highlighting the element you are hovering over)

2. Hover over the item you want to select and click inside the highlighted rectangle.

Every time you click inside a rectangle the browser drops out of this special selection mode, so you have to hit the ALT key before each element is selected. The complete sequence for training a Web Goat login looks like this:

1. Press the ALT key
2. Select the 'Username' input element
3. Press the ALT key
4. Select the 'Password' input element
5. Press the ALT key
6. Select the 'Sign In' button
7. Close the browser

The screenshots below show the sequence described above.

Press ALT key and select username input

Press ALT key and select password input

Press ALT key and select submit button

Close the browser

Stop Recording

Return to the Venari UI and press the 'Stop' button

Expand the recorded workflow

Look at the YAML that represents the steps that will be executed when this workflow is played later. Notice the special tokens like {endpoint} {username} and {password}. These parameterized bits of data will be provided to the workflow player later as parameters. Parameters decouple the workflow from the specific credentials and target URL so that the workflow can be easily reused. 'Endpoint' means the combination of scheme, host and port. For example: https://www.something.com. The port is optional unless it is non-standard like 8080.

Test Workflow

Click the 'Test' button

Enter endpoint and credentials and click 'Run'

Watch the browser launch, navigate, enter credentials and click the submit button.

The landing page will be visible once the workflow test run completes.

Close the browser and return to the Venari UI.

Use the Workflow in a Job Template

Click the 'Templates' tab and then click the job template that you want to modify to use the login workflow.

If the template was created with auto-login credentials, click on the 'Start' tab and delete the credentials from the text fields.

Click the 'Workflows' tab

Select the workflow we just recorded by checking the box. Choose 'login' in the dropdown. There are other types of workflows with other purposes, but these are not covered in this tutorial.

Expand the parameters section at the bottom of the screen and enter the target endpoint and credentials.

Click 'Save' then click 'Start Job' to run the workflow. Note that this application is fully onboarded at this point. The Application contains the job template, the workflow, and is seeded with specific credentials. This job can be run unattended in Venari DevOps edition in a continuous assurance loop for CI/CD deployments.

The exploit job will start and you can look at the summary screen to see the login progress bar and then watch the scan start its analysis in a logged in state.

The screenshot below shows proof that the login workflow succeeded.

The screenshot below shows a completed scan that authenticated to the application using the workflow we just created. Weg Goat is an AppSec learning lab for teaching application security techniques. The highlighted vulnerabilities were found by the Venari exploit job. The screen also shows evidence of login.

Multi-Page Logins

This tutorial demonstrated creating a login workflow for a single URL with a form containing all of the credential inputs and action elements. The recorder and workflow engine support more advanced action and navigation streams.

Imagine an application that authenticates users with the following steps:

1. Navigate to a start URL
2. See a 'SignIn' link somewhere on the page
3. Click the 'SignIn' link
4. Browser navigates to a second page with a username element
5. Enter the username
6. Click a 'Next' button
7. Browser navigates to a third page with password element
8. Enter a passwword
9. Click a 'Next' button
10. Browser navigates to a fourth page containing a text input for a PIN number
11. Enter a PIN number
12. Click a submit button

The actions for selecting/training the recorder are:

1. Click the 'Record' button in Venari as described earlier in the tutorial
2. Type the start URL and press enter
3. The browser will navigate to the landing page
4. Press the ALT key to activate selection mode
5. Hover over the 'SignIn' link and click it
6. Note that the click did NOT navigate to the link URL because we were in selection mode.
7. Click the 'SignIn' link again. Because the previous click toggled us out of selection mode, the browser now navigates to the username page
8. Press the ALT key to activate selection mode
9. Hover over the username element
10. Click the username element
11. Press the ALT key to activate selection mode
12. Hover over the 'Next' button
13. Click the 'Next' button (this toggles us out of selection mode but does not navigate)
14. Click the 'Next' button again to navigate to the password entry page
15. Press the ALT key to activate selection mode
16. Hover over the password element
17. Click the password element
18. Press the ALT key to activate selection mode
19. Hover over the 'Next' button
20. Click the 'Next' button (this toggles us out of selection mode but does not navigate)
21. Click the 'Next' button again to navigate to the PIN entry page
22. Press the ALT key to activate selection mode
23. Hover over the PIN element
24. Click the PIN element
25. Press the ALT key to activate selection mode
26. Hover over the 'Submit' button
27. Click the submit button (this toggles us out of selection mode but does not navigate)
28. Close the browser and return to the Venari workflow recorder panel

Note that the ALT key and hover operations followed by the actual navigations is providing the recorder with a stream of DOM targets that will be used when the workflow is played. The actual navigations are not recorded. The example above uses 4 URLS, 3 input elements and multiple buttons.

*** PRO TIP *** Remember that the ALT key puts you IN selection mode and the next click always toggles you OUT of selection mode. The rulers and selection lines are good reminders that you are in selection mode. Links and buttons do NOT result in any action when you click them while in selection mode.