Version 1.3 - September 2019

Version 1.3 of Venari is packed with new features for the desktop UI and the core scan engine. Version 1.3 is also the beginning of trials for the Venari Standard, Professional and DevOps Editions

• Expanded Vulnerabilities
• Taxonomy Information
• Summary Counters
• Alerts View
• Retest Improvements
• Sampling Mode
• Expanded Force Browsing
• New Fingerprint Collections
• Auto-Login Improvements
• New Workflow Types
• Logging Configuration
• Miscellaneous
• Vulnerability Details

Expanded Vulnerabilities

The core scan engine has 22 new detection rules to massively improve coverage of application vulnerability detection. In addition to fuzzing rules, the scanner can now apply passive Inspection Rules to search for information leaks, TLS issues, error handling flaws, unprotected credential transport, and many more security issues evident in HTTP traffic from resource discovery. Detailed List

Taxonomy Information

The rules engine now contains vulnerability taxonomy information. When vulnerabilities are detected the available CWE, CVE and CVSS information shows up in the findings view of the UI.

Vulnerability classification tags are populated in the findings grid for an aggregated view

Vulnerability classification tags are populated in the finding details under the properties tab for individual vulnerabilities.

Summary Counters

The Summary View in the desktop UI now contains a side panel with useful counters. Findings are now summarized in a table in the lower right and for authenticated scans, login and logout counters help visualize login and session state continuity.

Alerts View

The alert panel shows useful information regarding the health and progress of the running scan job. This information helps user identify bad login workflows or applications with network IO issues. Some of the items that are alertable are:

• Failed scans
• Failed login
• Startup Initialization failures
• Invalid configurations
• Logouts detected

Retest Improvements

The retest view has been reworked for layout and better usability.

Select the finding and click the play icon.

Input the required data and click Test button

Rule runs locally

Single result from a completed finding retest. Traffic view shows the detected credit card in this example.

The properties tab often shows extra useful information. In this example, the validation logic detected the card is a VISA

Sampling Mode

Sampling mode allows multiple start URLs and configurable sampling limits per specified origin. Some examples of useful batch scan jobs include:

• Running a large batch of server URLs through a single page TLS check to identify weak ciphers and known TLS vulnerabilities.

• Writing a cutom rule to inspect for specific patterns in content across a large sample of website homepages.

Configuring the job to be a sampling scan requires changes to the job template in the Start and Scope tabs

Click the Start tab and then click the Add button

Type in as many sampling target URLs as you like.

Switch to the Scope tab and scroll until you see the sample type and count UI

Expanded Force Browsing

The force browsing module has additional, configurable types of brute force resource checking.

Categories
Large List	Common files and paths from a very large list
Backup files	Check for exposed archive files that may contain sensitive data not intended to be accessible on the public site
Log files and directories	Check for leaked information
Configuration files and directories

New Fingerprint Collections

The fingerprinter has new collections to aid in mapping attack surface.

Categories
Request Parameters	With summry information on inferred data types
JavaScript Function Signatures	Searchable list of function signatures from the fully parsed JS files and inline JS blocks and HTML event attributes

Parameter values are analyzed for multiple categories of inferred data types including delimited lists

Function names and signatures are shown below.

Auto-Login Improvements

The Auto-login heuristic continues to evolve to handle common login paths. Expect this feature to improve over time as we accumulate more examples of common login markup, code patterns and form constructs.

New Workflow Types

Categories
Workflow	A workflow supplements or replaces browser discovery and spider crawling. Workflows are also useful for ordered browser actions on the application that are not executed by default. A more detailed example would be a page with a form input that requires a specific value in order to reach the desired section of the application. Creating a workflow that sets this input value would solve this problem.
Login	Login workflows navigate to login UI elements and applies username and password from settings. Login workflows are auto-generated by default and there is a separate recorder tool for handling more difficult cases.
Start	Start workflows replace the start URL. A start workflow runs instead of a navigation to a single start URL. Once the workflow completes, the normal browser discovery process follows immediately in the same way it would follow a start URL navigation.
Setup	Setup workflows run at the beginning of a scan job and only run once. As an example, the browser steps required to register a new user can be recorded in a setup workflow. Another example is a set of steps needed to initialize the web application or backend database before the analysis starts.
Cleanup	Cleanup workflows run exactly once when all other analysis is complete. These workflows are useful if you need to undo certain application state changes that happened during the scan job. The finisher module must be enabled to run a cleanup workflow.
Ordered	Ordered workflows are played back before fuzzing attacks in order to acquire any special state that may be required to access the functionality being attacked. Every playback will happen in isolation. This improves accuracy at the expense of speed.

Logging Configuration

To enable detailed troubleshooting during tech support calls, the debug logging is now configurable for better read performance and accurate isolation of engine components.

Miscellaneous

Miscellaneous UI improvements, bug fixes and performance tweaks are a part of every release. Below is a partial list of miscellaneous items in version 1.3.

Categories
Force Complete Job	Users can choose to force the completion of a job and also push the partial findings into the workspace so they are available for retest
Job Cancel	Jobs in the ready state can now be cancelled
Finisher Module	The finisher module runs at the end of a scan job when all other analysis is complete. The finisher does various cleanup work including stored XSS checking and finalizing cookie probing.
URL Shape Limiting	There is a new new scope setting to limit the number of repeats of URLs based on their signature. This is helpful for applications that have similar URLs where various query parameters or locations in the path hold data, like resource IDs. These resource parameters are common in large sites containing products or other data-driven content items. As an example, the URLs http://www.foo.com/store/product/1 and http://www.foo.com/store/product/2 may be part of a set where the number goes extremely high, but all of the backend logic is the same. Limiting the numbers of URLs processed for fuzzing and further discovery is a way to put a reasonable bound on scan size and still get a useful set of samples. The 'shape' of the URL is automatically detected and these groupings are applied without manual configuration.
Workflow Rename	Workflows can now be renamed

Vulnerability Details

Evidence Screenshots

Active Rules

MEDIUM
Cross Site Request Forgery	Distinguishes between Possible and Confirmed

HIGH
Cross Frame Scripting	Confirmed via frame navigation

CRITICAL
SQL Injection	Verbose and blind detection	screenshot
Cross Site Scripting	Reflected and stored detection (traffic or DOM-based) with verified code execution	screenshot
Unprotected Transport of Credentials	(Server)
Unrestricted File Upload

Passive Rules

INFO
Credit Card Number Exposure	Validated card issuer prefix, format, length and checksum
Social Security Number Exposure	Validated format, length and issuer prefix
Backup File Exposure
Log File Exposure
Private IP Address Exposure		screenshot
Directory Listing		screenshot

LOW
Deserialization of Untrusted Data	(Possible)

MEDIUM
Transport	Logjam
Transport	Poodle
Connection String Exposure
Improper Exception Handling		screenshot
Sensitive Cookie Without 'Secure' Attribute

HIGH
Overly Permissive Cross-Domain White List
Transport	Weak SSL/TLS Ciphers
Transport	Drown
Transport	NOMORE
Transport	Sweet32

CRITICAL
Unprotected Transport of Credentials	(Client)	screenshot

WORDPRESS
CVE-2017-1000600
CVE-2017-1001000
CVE-2017-14718
CVE-2017-14719
CVE-2017-14720
CVE-2017-14721
CVE-2017-14722
CVE-2017-14723
CVE-2017-14724
CVE-2017-14725
CVE-2017-14726
CVE-2017-14990
CVE-2017-16510
CVE-2017-17091
CVE-2017-5487
CVE-2017-5488
CVE-2017-5489
CVE-2017-5490
CVE-2017-5491
CVE-2017-5492
CVE-2017-5493
CVE-2017-5610
CVE-2017-5611
CVE-2017-5612
CVE-2017-6514
CVE-2017-6814
CVE-2017-6815
CVE-2017-6816
CVE-2017-6817
CVE-2017-6818
CVE-2017-6819
CVE-2017-8295
CVE-2017-9061
CVE-2017-9062
CVE-2017-9063
CVE-2017-9064
CVE-2017-9065
CVE-2017-9066
CVE-2018-1000773
CVE-2018-10100
CVE-2018-10101
CVE-2018-10102
CVE-2018-12895
CVE-2018-14028
CVE-2018-20147
CVE-2018-20148
CVE-2018-20149
CVE-2018-20150
CVE-2018-20151
CVE-2018-20152
CVE-2018-20153
CVE-2018-5776
CVE-2018-6389
CVE-2019-8942
CVE-2019-8943
CVE-2019-9787

Evidence Screenshots

Verbose SQL Injection

Cross Site Scripting

Improper Exception Handling

Unprotected Transport of Credentials (Client)

Private IP Address Exposure

Directory Listing