Version 1.3 - September 2019¶
Version 1.3 of Venari is packed with new features for the desktop UI and the core scan engine. Version 1.3 is also the beginning of trials for the Venari Standard, Professional and DevOps Editions
- Expanded Vulnerabilities
- Taxonomy Information
- Summary Counters
- Alerts View
- Retest Improvements
- Sampling Mode
- Expanded Force Browsing
- New Fingerprint Collections
- Auto-Login Improvements
- New Workflow Types
- Logging Configuration
- Miscellaneous
- Vulnerability Details
Expanded Vulnerabilities¶
The core scan engine has 22 new detection rules to massively improve coverage of application vulnerability detection. In addition to fuzzing rules, the scanner can now apply passive Inspection Rules to search for information leaks, TLS issues, error handling flaws, unprotected credential transport, and many more security issues evident in HTTP traffic from resource discovery. Detailed List
Taxonomy Information¶
The rules engine now contains vulnerability taxonomy information. When vulnerabilities are detected the available CWE, CVE and CVSS information shows up in the findings view of the UI.
Vulnerability classification tags are populated in the findings grid for an aggregated view
Vulnerability classification tags are populated in the finding details under the properties tab for individual vulnerabilities.
Summary Counters¶
The Summary View in the desktop UI now contains a side panel with useful counters. Findings are now summarized in a table in the lower right and for authenticated scans, login and logout counters help visualize login and session state continuity.
Alerts View¶
The alert panel shows useful information regarding the health and progress of the running scan job. This information helps user identify bad login workflows or applications with network IO issues. Some of the items that are alertable are:
- Failed scans
- Failed login
- Startup Initialization failures
- Invalid configurations
- Logouts detected
Retest Improvements¶
The retest view has been reworked for layout and better usability.
Select the finding and click the play icon.
Input the required data and click Test button
Rule runs locally
Single result from a completed finding retest. Traffic view shows the detected credit card in this example.
The properties tab often shows extra useful information. In this example, the validation logic detected the card is a VISA
Sampling Mode¶
Sampling mode allows multiple start URLs and configurable sampling limits per specified origin. Some examples of useful batch scan jobs include:
-
Running a large batch of server URLs through a single page TLS check to identify weak ciphers and known TLS vulnerabilities.
-
Writing a cutom rule to inspect for specific patterns in content across a large sample of website homepages.
Configuring the job to be a sampling scan requires changes to the job template in the Start and Scope tabs
Click the Start tab and then click the Add button
Type in as many sampling target URLs as you like.
Switch to the Scope tab and scroll until you see the sample type and count UI
Expanded Force Browsing¶
The force browsing module has additional, configurable types of brute force resource checking.
Categories | |
---|---|
Large List | Common files and paths from a very large list |
Backup files | Check for exposed archive files that may contain sensitive data not intended to be accessible on the public site |
Log files and directories | Check for leaked information |
Configuration files and directories |
New Fingerprint Collections¶
The fingerprinter has new collections to aid in mapping attack surface.
Categories | |
---|---|
Request Parameters | With summry information on inferred data types |
JavaScript Function Signatures | Searchable list of function signatures from the fully parsed JS files and inline JS blocks and HTML event attributes |
Parameter values are analyzed for multiple categories of inferred data types including delimited lists
Function names and signatures are shown below.
Auto-Login Improvements¶
The Auto-login heuristic continues to evolve to handle common login paths. Expect this feature to improve over time as we accumulate more examples of common login markup, code patterns and form constructs.
New Workflow Types¶
Categories | |
---|---|
Workflow | A workflow supplements or replaces browser discovery and spider crawling. Workflows are also useful for ordered browser actions on the application that are not executed by default. A more detailed example would be a page with a form input that requires a specific value in order to reach the desired section of the application. Creating a workflow that sets this input value would solve this problem. |
Login | Login workflows navigate to login UI elements and applies username and password from settings. Login workflows are auto-generated by default and there is a separate recorder tool for handling more difficult cases. |
Start | Start workflows replace the start URL. A start workflow runs instead of a navigation to a single start URL. Once the workflow completes, the normal browser discovery process follows immediately in the same way it would follow a start URL navigation. |
Setup | Setup workflows run at the beginning of a scan job and only run once. As an example, the browser steps required to register a new user can be recorded in a setup workflow. Another example is a set of steps needed to initialize the web application or backend database before the analysis starts. |
Cleanup | Cleanup workflows run exactly once when all other analysis is complete. These workflows are useful if you need to undo certain application state changes that happened during the scan job. The finisher module must be enabled to run a cleanup workflow. |
Ordered | Ordered workflows are played back before fuzzing attacks in order to acquire any special state that may be required to access the functionality being attacked. Every playback will happen in isolation. This improves accuracy at the expense of speed. |
Logging Configuration¶
To enable detailed troubleshooting during tech support calls, the debug logging is now configurable for better read performance and accurate isolation of engine components.
Miscellaneous¶
Miscellaneous UI improvements, bug fixes and performance tweaks are a part of every release. Below is a partial list of miscellaneous items in version 1.3.
Categories | |
---|---|
Force Complete Job | Users can choose to force the completion of a job and also push the partial findings into the workspace so they are available for retest |
Job Cancel | Jobs in the ready state can now be cancelled |
Finisher Module | The finisher module runs at the end of a scan job when all other analysis is complete. The finisher does various cleanup work including stored XSS checking and finalizing cookie probing. |
URL Shape Limiting | There is a new new scope setting to limit the number of repeats of URLs based on their signature. This is helpful for applications that have similar URLs where various query parameters or locations in the path hold data, like resource IDs. These resource parameters are common in large sites containing products or other data-driven content items. As an example, the URLs http://www.foo.com/store/product/1 and http://www.foo.com/store/product/2 may be part of a set where the number goes extremely high, but all of the backend logic is the same. Limiting the numbers of URLs processed for fuzzing and further discovery is a way to put a reasonable bound on scan size and still get a useful set of samples. The 'shape' of the URL is automatically detected and these groupings are applied without manual configuration. |
Workflow Rename | Workflows can now be renamed |
Vulnerability Details¶
Active Rules¶
MEDIUM | ||
---|---|---|
Cross Site Request Forgery | Distinguishes between Possible and Confirmed |
HIGH | ||
---|---|---|
Cross Frame Scripting | Confirmed via frame navigation |
CRITICAL | ||
---|---|---|
SQL Injection | Verbose and blind detection | screenshot |
Cross Site Scripting | Reflected and stored detection (traffic or DOM-based) with verified code execution | screenshot |
Unprotected Transport of Credentials | (Server) | |
Unrestricted File Upload |
Passive Rules¶
INFO | ||
---|---|---|
Credit Card Number Exposure | Validated card issuer prefix, format, length and checksum | |
Social Security Number Exposure | Validated format, length and issuer prefix | |
Backup File Exposure | ||
Log File Exposure | ||
Private IP Address Exposure | screenshot | |
Directory Listing | screenshot |
LOW | |
---|---|
Deserialization of Untrusted Data | (Possible) |
MEDIUM | ||
---|---|---|
Transport | Logjam | |
Transport | Poodle | |
Connection String Exposure | ||
Improper Exception Handling | screenshot | |
Sensitive Cookie Without 'Secure' Attribute |
HIGH | |
---|---|
Overly Permissive Cross-Domain White List | |
Transport | Weak SSL/TLS Ciphers |
Transport | Drown |
Transport | NOMORE |
Transport | Sweet32 |
CRITICAL | ||
---|---|---|
Unprotected Transport of Credentials | (Client) | screenshot |
WORDPRESS | |
---|---|
CVE-2017-1000600 | |
CVE-2017-1001000 | |
CVE-2017-14718 | |
CVE-2017-14719 | |
CVE-2017-14720 | |
CVE-2017-14721 | |
CVE-2017-14722 | |
CVE-2017-14723 | |
CVE-2017-14724 | |
CVE-2017-14725 | |
CVE-2017-14726 | |
CVE-2017-14990 | |
CVE-2017-16510 | |
CVE-2017-17091 | |
CVE-2017-5487 | |
CVE-2017-5488 | |
CVE-2017-5489 | |
CVE-2017-5490 | |
CVE-2017-5491 | |
CVE-2017-5492 | |
CVE-2017-5493 | |
CVE-2017-5610 | |
CVE-2017-5611 | |
CVE-2017-5612 | |
CVE-2017-6514 | |
CVE-2017-6814 | |
CVE-2017-6815 | |
CVE-2017-6816 | |
CVE-2017-6817 | |
CVE-2017-6818 | |
CVE-2017-6819 | |
CVE-2017-8295 | |
CVE-2017-9061 | |
CVE-2017-9062 | |
CVE-2017-9063 | |
CVE-2017-9064 | |
CVE-2017-9065 | |
CVE-2017-9066 | |
CVE-2018-1000773 | |
CVE-2018-10100 | |
CVE-2018-10101 | |
CVE-2018-10102 | |
CVE-2018-12895 | |
CVE-2018-14028 | |
CVE-2018-20147 | |
CVE-2018-20148 | |
CVE-2018-20149 | |
CVE-2018-20150 | |
CVE-2018-20151 | |
CVE-2018-20152 | |
CVE-2018-20153 | |
CVE-2018-5776 | |
CVE-2018-6389 | |
CVE-2019-8942 | |
CVE-2019-8943 | |
CVE-2019-9787 |