Version 1.0 - March 2019

Venari 1.0 is a web application scanning tool which is used to assess web application vulnerabilities. Version 1.0 features a fully functional automatic discovery engine based on a combination of

Highlights

• Features
• Quick Start

Features

Automatic Web Application Discovery	Using automatic browser navigation and interaction in combination with traffic-based spidering
Automatic Login	Browser-based login using only credentials as input
Cross-Site Scripting Detection	Detects XSS in headless browser. No false positives.
Browser-State Navigation View	See the navigation paths and click streams to verify application coverage (with screenshots)
HTTP Traffic View	URL tree view of HTTP traffic
Single Page Application Coverage	Handles modern frameworks and XHR-heavy applications
Cross-Platform	UI and engine run on Windows, MacOS and Linux

Quick Start

This quick start tutorial will explain the main workflows and features of Venari. As this is the initial release, we plan to make tutorial videos available as soon as possible. There is a FAQ page on the support page of the site and a form to report issues or make feature requests. We hope you enjoy getting to know the powerful discovery and exploit engine that we are making freely available. Our hope is to build a community of users and get AppSec tools into the hands of every member of the security team from developers to QA engineers to security specialists. Venari CE uses the same REST API-based analysis engine that powers our automation suite. Assert’s mission is to enable containerized, continuous assurance platforms for large organizations with lots of applications and rapid updates. All of our products are built on the same cross-platform stack. For this first release we are finding all the flavors of XSS, but the full space of vuln categories is coming soon. So, stay up to date on versions and please give us feedback and tell your friends.

Let's Get Started

Click the ‘New Application’ Button on the start screen

1. Fill out the form with the basic connection, scope and credential information.
2. Enter the application name and entry URL.
3. Enter the path restrictions to bound the paths where discovery and exploits are applied.
4. Authentication is optional. Either uncheck the box or specify username and password if you want authenticated analysis.
5. Select whether or not to generate default configuration templates for discovery and exploit. Note that discovery templates configure jobs to ONLY map the site structure whereas exploit templates direct the analysis to map the site and also check for web application vulnerabilities.

1. Click the triangle icon to run the job using whichever template you want
2. Note that there is a folder icon next to each template. Click the folder if you want to edit the generated template. Advanced configuration will be discussed in a separate help topic. The help link in the title bar will take you to the list of available topics.
3. After a brief pause, the UI will start updating the status of the running job.
4. Note that Venari has a concurrent analysis engine that runs multiple threads in parallel. This includes a pool of browser engines. The status updates are polled every few seconds and show the progress of the internal analysis modules. As the discovery and probing modules make progress through the site, the information tabs will be updated with the partial results accumulated so far.
5. The screenshot below shows an in-progress scan analyzing Google Firing Range. The sections that follow will describe the detailed tabs and information panels generated by the scan.

1. Click the browser tab that is directly above the progress area
2. Expand some of the click event labels to get a feel for what the browser engine records and how it navigates the possible states of the page
3. Clicking the document node under an event will show a screen shot of what the browser rendered in response to the event
4. To the right of the screenshot tab, also click the Document HTML and HTTP Traffic tabs
5. The browser discovery tree is a detailed history of the ‘click streams’ invoked and followed by the pool of browser engines.
6. The Document HTML tab shows the exact state of the DOM at the point in time the snapshot was taken. This is not the HTML that was delivered by the HTTP request but is the state of the application’s DOM after browsing activity has accumulated.
7. The HTTP Traffic tab shows the initial content delivered by the server response

1. Click the Traffic tab that is directly above the progress area
2. Click through the tree nodes to get a more traditional HTTP traffic view of the analysis
3. Note that requested resources that were 404 or site-specific error pages are broken out into a separate tree node at the bottom of the left pane.
4. Also note that force browsed resources which are not determined to be ‘found’ are left out of the error tree node altogether.
5. The screenshot below shows a partially expanded resource graph.

1. Click the results tab that is directly above the progress area.
2. This view shows the vulnerabilities and detailed drill-down information on how the targets were probed and mapped, what the attack payload looked like and the exact reflection in the DOM.
3. Click the expander icon on any vulnerability row and look at the description box.
4. Click each of the detail tabs to the right of the description tab to see the metadata about how the input mapped to the output
5. The first screenshot below shows a completed scan of resulting in 123 XSS detections and demonstrates the way the grid looks when there are multiple result pages. The second screenshot shows a specific result and the screenshot evidence.
6. Note that vulnerabilities and other results accumulate as the scan job progresses. Periodically hit the refresh icon above the active view to get updated results.
7. If your scan reveals vulnerabilities, click each of the tabs for specific vulnerabilities to get all of the available data.

Venari’s analysis engine conducts extensive probing and reflection mapping to infer data flow through the live DOM. The fingerprinting engine traces locations in detail and saves this metadata for the exploiter. Smart XSS breakouts can be computed based on the exact structural nesting of the reflected probe in the DOM. For reflections that occur in script blocks or JS event attributes, breakouts are computed from the syntax tree of the JS content.

1. Click the fingerprint tab above the details pane
2. Click the reflections sub-tab
3. Note that there are two flavors of probe reflections tracked by the engine. Browser reflections are from snapshots of the changing DOM. Traffic reflections are from the initial response or a redirect response in a chain of HTTP messages
4. Expand any browser reflection and click through the screenshot, HTML and workflow tabs
5. Click the Endpoints sub-tab next to the reflections sub-tab.
6. If the site uses HTTPS you will see TLS cipher and protocol information for the server.
7. The screenshot below shows a reflected probe in the document HTML captured by the browser.
8. Note that stored probes and stored fuzzing payloads from the exploiter are checked for in a final pass of the analysis. The two modules on the bottom of the progress screenshot (above) run when all discovery and exploit analysis are complete.

That covers the basic operation and information available from a Venari scan. More detailed information will be coming soon as a stream of tutorial videos and more documentation. Advanced configurations will be covered in other topic pages. For cases where the auto-login heuristic does not acquire a login session, there is a recording feature to help create the login workflow. That topic will be covered by a video that is currently in production. Please check the help and support pages for more content as we build capabilities and new vulnerability detection onto the core engine that we have released. The auto-update channel will carry frequent version upgrades and our social media channels will send out the news when there are new capabilities, tools and resources.