Version 4.0 - June 2023¶

Venari 4.0 is our largest incremental feature release to date. The features cover a broad range of functional areas from deep GraphQL analytics and fuzzing to CPE/CVE mapping and Deep X-RAY inspection of requests/responses. There are many improvements to traffic views and related context actions that expose HTTP traffic data everywhere in the UI.

API scanning is a major theme of release 4.0 and these changes appear in the traffic definition UI, the scan wizard, runtime content detection and parsing and virtually every UI touch point related to HTTP traffic. API definition/schema imports now happen automatically while scanning and discovery and fuzzing traffic is automatically generated when API signatures are found. Postman integration has been kicked up another notch by adding test runner and script execution to the traffic definition user experience. Adding dynamic security analysis to functional test artifacts has never been easier. API scans can run postman artifacts without the need to install Newman or Postman. The Venari traffic definition and execution model now handles script and test running out of the box.

See the list below for the full set of new features and enhancements.

Highlights¶

GraphQL
CPE/CVE Mapping
Postman Test Runner
UI Improvements
Application Wizard
X-RAY View (Formatting)
Advanced Interactive Login
URL Extraction
Traffic Features
Traffic View Menus
Auto-Imported Traffic Definitions
Traffic Playground
Custom Rules
Imports/Exports
Tab Layout Improvements
Help Tips
Amazon ION Detection
Digital Signatures
New Scan Templates
Proxy / Intercept
Tools
New Scope / Limit Settings
Credential Manager
Flex Licensing
Static Analysis
Job Archiving
Coverage URLs in Findings Report
Check for Update button
Burp Integration Improvements
Venari Watcher Improvements

GraphQL ¶

Venari integrates with GraphQL from the ground up including payload parsing, schema detection, introspection queries and advanced parameter manipulation during fuzzing. Venari's traffic, playground and findings views now support GraphQL syntax highlighting and formatting. The inspection engine can detect GraphQL requests or schemas and will automatically generate traffic definitions and syntactically valid HTTP requests for queries and mutations. The traffic definition viewer and playground enable full GraphQL API onboarding and manual curation for setting up point and shoot API scans.

The screenshot below shows GraphQL requests that have been generated from schema content encountered during a scan. The traffic definition view now supports formatting an advanced 'X-RAY' view which shows sub-structure and nested content for HTTP requests and responses.

The animation below shows a SQL Injection finding from an API operation being viewed in detail in the format/X-RAY view of the finding traffic.

Expression Formatting and X-Ray support¶

The screenshot below shows a GraphQL request and response from a scan. The right hand side shows the advanced x-ray view which formats and syntax highlights the traffic content.

The screenshot below shows a GraphQL SQL Injection finding. The finding traffic views shows formatted request and response data.

Schema Import¶

Venari imports GraphQL schema information from either schema definition language (SDL) or introspection query responses. When GraphQL schema content is detected in live traffic, it is auto-imported into the application's traffic definition list. The schema information is parsed and used to auto-generate GraphQL query and mutation requests that conform to the imported schema. This traffic is scanned for vulnerabilities.

The screenshot below shows the imported schema and generated request traffic with multiple X-RAY frames showing formatting details.

The animation below shows an imported GraphQL Schema inside the application's traffic definition UI.

Parameter Injection¶

The screenshot below shows scan template settings that allow user-specified targets to be fuzzed. These targets are all elements of GraphQL's language syntax.

Highlighting and Formatting of a GraphQL Finding¶

The screenshot below shows a GraphQL SQL Injection finding fully expanded with highlighting in the leaf nodes of the x-ray tree.

CPE/CVE Mapping ¶

Venari fingerprinting maps CPE data to CVEs in the National Vulnerability database.

The screenshots below shows a known configuration vulnerability description and properties.

Postman Test Runner ¶

Venari 4.0 now runs Postman scripts natively in both the playground UI, the Traffic Definition interactive UI and the scan itself. Postman collections are imported into Venari and the built-in test runner executes the pre-request and post-response scripts. Variable values maintained throughout the test run and the test results are viewable in a special UI tab. Full dynamic variable resolution and Chai framework integration are available without the need to run Newman or set up a proxy to Newman.

This support for postman scripting allows teams to re-use their existing functional test artifacts to seamlessly add authenticated vulnerability testing on top of the baseline testing. Postman environments can be imported as well.

The screenshots below show various stages of a Postman collection import and test run.

Imported Postman Collection (VAMPI)¶

The screen below shows the fully imported set of postman operations, variables and scripts.

All Operations Ran (SEND button pressed)¶

The screens below shows the results of a test run of all operations.

UI Improvements ¶

Venari 4.0 features many new user interface enhancements. The sub-sections that follow show the major new UI elements.

Applications View (home view) Statistics¶

Findings Summary Hot Linked to Detailed Findings¶

Action Counters¶

X-RAY in Traffic Views¶

Sub-Tabs¶

Browser Tree Icons¶

Fingerprint Information is a TreeView¶

Application Wizard ¶

The application wizard has new controls for finer-grained API onboarding as well as new source code analysis and authentication inputs.

API Configuration Page¶

Source Code Configuration Page¶

Authentication Configuration Page¶

X-RAY View (Formatting)¶

Venari 4.0 adds a deep inspection view of HTTP traffic that combines formatting, highlighting and recursive decoding of nested text and binary content. The X-RAY view provides pen testers and security professionals with a powerful scope to look into nested sub-structure that is often smuggled into traffic requests, URLs and responses.

The example HTTP request/response pair below show multiple levels of nested sub-structure in the text. The query string, headers and body of the request all contain encoded text which is decoded, parsed, interpreted and formatted in the format tree nodes. See the animated GIF below to see the UI navigation between parent and child text nodes.

The animation below shows navigation between parent and child text nodes..

There is a new login capability available that allows the user to login using a browser from the headless browser pool. A specific browser is made temporarily visible and is used for all login steps, including any multi-factor data entry and/or captcha solving. This mode keeps all of the state in the initial browser instead of harvesting state from a temporary browser. This advanced mode exists for complex login scenarios where the normal interactive login state transfer is not practical. Note that subsequent logins will run on the same browser instance.

The screenshot below shows the checkbox to enable direct browser login.

URL Extraction ¶

The discovery process has been enhanced with a new mode for finding URLs during a scan. The default state is a balanced setting that will still find URLs in tricky places like script, comments or plain text but does not aggressively over-interpret all fragment candidates as URLs.

The screenshot below shows the 'URL Finder Mode' dropdown.

Traffic Features ¶

There are several new traffic view-related features. See the sections below.

Grid or List View¶

Grid View

List View

Format / X-RAY Tabs¶

Scan Traffic¶

Search Traffic (across Jobs)¶

Traffic View Menus ¶

The traffic view appears in many places in Venari. In 4.0 there are new context action menus available for a given sample of traffic. The screenshot below shows many of the new options:

Auto-Imported Traffic Definitions ¶

API definitions using OpenAPI definitions and GraphQL schemas can now be automatically detected while scanning. GraphQL introspection query endpoints are actively force browsed. Response content is inspected for known API data formats including OpenAPI JSON and YAML and GraphQL introspection query responses and SDL schema format.

When API definition content is discovered the scanner automatically imports the definition into the application and also generates traffic from the schema and adds it to the scan as part of the discovery and fuzzing process. The Behavior to automatically generate traffic is user-configurable.

GraphQL Schema Import¶

The screenshot below shows the schema exposure finding in the scan summary UI.

The screenshot below shows the schema exposure finding in the detailed findings view. The image shows the request in X-RAY view with the GraphQL item selected for clarity.

The screenshot below shows the UI tab where Traffic Definitions and Collections are imported. In the image, the GraphQL definition has been automatically imported from an introspection query response that was detected during the scan

The screenshot below shows the generated GraphQL requests. The image shows the request body in formatted X-RAY view for clarity.

Open API Definition Import¶

The screenshot below shows the definition finding in the scan summary UI.

The screenshot below shows the definition finding in the detailed findings view. The image shows the request in X-RAY view with the definition body selected for clarity.

The screenshot below shows the generated HTTP requests in the traffic definition.

Traffic Playground ¶

The traffic playground has many new features and improved capabilities. The application-level 'Traffic' tab hosts traffic definitions that have the same functionality as the playground view. The playground view itself is GLOBAL and not tied to any application. The playground is the collection point of traffic that the user wants to manually inspect, modify and re-send as part of manual inspection of a web application or API.

The features below apply to both the Playground and the Application-level Traffic Definitions:

Import a traffic definition¶

The screenshot below shows the selection dialog for picking an API definition import source..

The screenshot below shows the imported source in the playground..

Create, Edit and Merge Variables¶

The animation below shows global variables being created, edited and merged by name.

SEND Request and Review Formatted¶

The screenshot below shows a request being sent to an API server and the request/response being reviewed with formatting and X-RAY views enabled..

Group SEND Requests¶

The animation below shows Requests being grouped and sent as a batched sequence.

Exploit Traffic¶

Venari supports exploitation of individual HTTP requests from the playground. The animation below shows a request being sent and then exploited with SQL Injection rules.

Custom Rules ¶

The Playground traffic view can create and run custom rules for exploiting a specific sample of traffic. Existing rules can be used in addition to custom rules.

Imports/Exports ¶

Venari 4.0 adds several import/export formats. See the sections below.

Traffic Definition¶

Traffic definitions can be exported from Venari and imported into another installed instance or a different application.

Postman Environments¶

Venari can now import postman environments alongside collections.

Venari variables import/export¶

Findings Report - Markdown¶

Scope/Limits Report¶

Tab Layout Improvements ¶

The Venari UI panels have been re-organized to consolidate sub-functions into a separate row of tabs. This layout change makes it much simpler to see the relationship between primary tabs and their child sub-tabs.

The screenshot below show examples of two row tab layouts..

Help Tips ¶

Tooltips and popup help bubbles have been added to UI screens in different functional areas - particularly in the modules tab and the job template primary and sub-tabs.

Amazon ION Detection ¶

Venari's content parser components now natively recognize the AWS ION format request and response content. Binary and text formats are recognized and the interior parameters are fuzzed during probing and exploit testing.

ION type detection and parsing is supported in HTTP content, the X-RAY/Format traffic views and as nested content inside JSON string literal values.

Digital Signatures ¶

Digital signatures can now be computed from scan traffic using new custom targets and also transforms on secrets.

The complex AWS 4 signing algorithm can be selected fom the list of pre-defined signatures.

New Scan Templates ¶

There are three new scan templates in Venari 4.0.

Quick¶

The click depth is lower and the discovery controller is limited to 2 phases. There is also less force browsing.

Force Browse¶

Skips the normal browser discovery phase and spidering and jumps straight to force browsing.

URL Inspector¶

Detects login and account registration web page content in bulk from the list of seed URLs. Fingerprints application on a small sample of content and runs inspection rules.

Proxy / Intercept ¶

The Proxy intercept view now allows traffic to be filtered and selectively deleted.

Filter Tree¶

Delete Items¶

Tools ¶

Traffic Views have context actions to compare traffic items and to encode/decode text.

Encoder/Decoder¶

The animation below shows a complex request with nested, encoded sub-sections being recursively decoded.

Comparer¶

The animation below shows the comparer automatically comparing requests and responses side by side in both structured and raw modes.

New Scope / Limit Settings ¶

Venari 4.0 has several new limiter and scope settings to enable scans to be more efficient and avoid duplicate analysis work.

URL Path Segment Limiting¶

Venari 4.0 has a new limiter setting to enforce a max count on URLs based on common patterns in the URL parts (segments).

As an example, the URLs below all have the same 'normalized pattern' and would all apply to the same max count. Specific text classifiers and behaviors can be selected in the UI to tune which text spans get normalized.

RAW URLs:
https://example.com/abc/foo123/25d3273a-f7cb-416c-941a-4ea12798c94c/item1.jsp
https://example.com/abc/foo456/bcf38af9-956f-49b2-bc98-ca4a5e63e446/item2.jsp
https://example.com/abc/foo775/c077f361-12fd-4f35-9657-252c45be02cd/item42.jsp

Normalized URL
https://example.com/abc/foo<**numeric>/<*guid*>/item<*numeric*>.jsp

The screenshot below shows the settings controls related to path segment pattern limiting.

XHR Call Limiting¶

XHR calls can now be de-duplicated and limited based on comparing their stack traces at the moment the XHR call is made.

HTTP Request Scope¶

Browser Scope¶

Credential Manager ¶

Credentials can now be stored in encrypted form and can be reused as variables where sensitive values are required, such as login username and password.

The animation below shows the application wizard creating a set of editable credentials and storing them in the centralized, encrypted vault.

Flex Licensing ¶

Flex licensing can be managed from the Venari UI for DevOps deployments.

The animation below shows the process of acquiring a flex license from the master node.

Static Analysis ¶

Venari 4.0 now supports Subversion code repositories for source code analysis. This is in addition to the pre-existing Git and Directory import sources.

Job Archiving ¶

Job archiving allows users to export all job data from the master node to an archive area and restore from that same area if needed.

The animation below shows an archive/restore cycle for a job..

Coverage URLs in Findings Report ¶

Findings reports now optionally include coverage URLs.

Check for Update button ¶

Venari can now check for available updates on demand by clicking a button.

Burp Integration Improvements ¶

The Burp Auto-Mapper extension has new import and export features. See the sections below for the new ways to get Burp traffic and issue data into Venari and vice versa. These improvements are in addition to the existing 'Import Venari Data' menu which brings site-maps, findings and scans from Venari into Burp. The data connections are fully bi-directional as of Venari 4.0.

Import Search Results (from Venari into Burp)¶

Send to Venari Playground¶

Send Issues to Venari¶

Import Issues (from Burp XML export)¶

Venari Watcher Improvements ¶

The Venari Watcher service is a publicly available companion service that augments Venari's security analysis by providing Out-of-Band Application Security Testing (OAST) capabilities. The service is also available as a self-hosted docker container when public network connectivity is not available or allowed. The configuration UI is shown below.