Automatically Map a Site Into Burp

The goal of this tutorial is to show the Burp Auto Mapper extension (powered by Venari) automatically crawling a web application while authenticated. We will learn how to use the power of Burp in tandem with Venari to accelerate the discovery and recon phase of testing. Burp users can download a licensed copy of Venari to integrate point and shoot discovery into their testing workflow.

We will demonstrate the following capabilities:

• Configure Venari for an automatic login and scan of WebGoat
• Run the Burp Auto Mapper extension and pull in a complete WebGoat site map
• Fill the Burp issues panel with vulnerabilities
• Show verifiable DOM-based XSS in Burp

If you prefer a short video tutorial then check here: Scanning Web Goat with the Auto Mapper Burp Extension

Venari features a powerful discovery engine and auto-login algorithm that delivers highly accurate site mapping. Burp extensions allow users to integrate data from external sources such as Venari. Application security testers can now onboard fully authenticated site discovery data via the Auto Mapper extension. The steps below will walk you through the simple setup. We will also point out the valuable insights produced in the Burp Issues UI. In addition to starting from a complete site map, testers will be able to see all of the Venari vulnerability findings and to confidently validate DOM-based XSS vulnerabilities inside Burp.

Combining Venari's authenticated auto-discovery and Burp's powerful set of testing features takes application discovery and vulnerability analysis to the next level.

• Download Auto Mapper JAR File
• Create Application in Venari
• Edit the Burp Job Template (Optional)
• Start the Auto Mapper
• Verify Scan is Running
• Explore Issues
• Explore DOM-based XSS
• Extra Evidence for XSS

Download Auto Mapper JAR File

The Auto Mapper extension is not yet in the Burp app store. You can download it from Download Auto Mapper JAR

Create Application in Venari

Create an application with a name so that we can add a login workflow and save it in the application. If you want to follow these steps for Web Goat, you can download the docker image from docker hub.

Pull the image using the command below:

docker pull webgoat/webgoat-8.0

Run the container using the command below:

docker run  -p 8080:8080 -it --rm --name webgoat webgoat/webgoat-8.0

Browse to the running application at http://localhost:8080/WebGoat and register a user.

Create a New Application

Enter the Basic Seed Data for whichever application you are testing

Edit the Burp Job Template

This step is optional. Venari creates a default template for Burp interop. By default, the Burp template does a discovery job with only a few exploit rules enabled. The full set of rules and exploit modules can be enabled if you want a more thorough vulnerability analysis.

Select the Burp template

Enable Additional Inspect and Fuzz rules (optional)

Enable Additional Modules (optional)

Start the Auto Mapper

Venari must be running to use the Auto Mapper extension. Venari exposes a REST endpoint and the Auto Mapper extension calls into this API to control the analysis. You will not have to interact with Venari UI at all during the site mapping, but there will be sections in this guide that point out situations where you might want to look at the detailed evidence in both Burp and Venari. The steps above were needed to specify the application URL and credentials. When the Venari UI is run, the REST endpoint is spun up.

Enable the Auto Mapper extension in the Burp 'Extender' tab

Start the Auto Mapper from the Burp right-click context menu. Select the application previously configured in Venari.

Verify Scan is Running

Go to the Burp 'Target' tab and select the 'Site Map' sub-tab. The map will begin filling up as results are pulled from the Venari local server. Site mapping is a real time stream of discovered resources, XHR calls and vulnerabilities. Login will be maintained automatically and you can interact with the data items as they are streaming in.

If you are curious about what is happening in the Venari local server you can look at the UI while site mapping is in progress. The server is able to handle REST calls from the Venari UI and the Auto Mapper extension concurrently.

** Architecture Note: ** The Venari suite of products all share the same server architecture internally. So the DevOps Edition manages a large farm of remote, concurrent, elastic job nodes (scanners) for CI/CD security testing. Venari communicates with a single, local job node.

Open the Jobs panel for the Web Goat application and click the refresh button. The running job should show up in the list.

Explore Issues

The screen shots below show all of the UI elements in Burp where you can view discovered resources and vulnerability results. Note that the Issues view requires Burp Pro.

The site map, session list and vulnerabilities found in the Web Goat scan are in the screen capture below.

The XSS attack payload is shown in the request tab under the issues list

Explore DOM-based XSS

For DOM-based XSS detection, Venari captures a live DOM snapshot as the XSS payload script executes. In the examples below, the payload is NOT reflected in the original response traffic. Auto Mapper creates an annotated HTTP response for the Burp UI. The top part of the response is generated markup that represents the actual DOM snapshot where the attack payload emerged in the DOM AFTER the response traffic was retrieved. At the bottom of the response is the actual wire traffic. Markers indicate where the generated markup and the HTTP response are located.

The screen shot below shows the start of the annotated DOM snapshot HTML

The screen shot below shows the end of the annotated DOM snapshot HTML and the original response below the end marker. This is a good example of DOM-based XSS detection because the original response was a small amount of JSON and the HTML and script execution came after the page was loaded and browser interactions were forced by the Venari scanner.

Extra Evidence for XSS

In addition to the generated markup that shows the DOM snapshot in Burp, you can cross-reference every issue in the issues tab with the Venari findings tab.

NOTE: Request and response header annotations are generated to help the person doing testing. None of these headers are actually in the traffic from the analysis job.

Here is the attack with a specific payload that will cause script to execute

The screen shot below shows another XSS vulnerability. This example is also DOM-based XSS, so the scrolled region of the markup is from the DOM snapshot - not the initial response.

The screen shot below shows the same DOM snapshot information in the Venari UI

The best proof is an automatic screenshot captured by the Venari Exploit engine while the page was being analyzed. The image below shows the proof that the alert box code executed. Notice the random number from the payload is in the alert message.

The next image is the Venari Summary UI for the job that just ran. Remember that the Venari local server can provide data to both the Burp UI (via Auto Mapper) and the Venari UI at the same time. The Findings tab shows detailed information about every finding. There is a 1 to 1 correspondence between the Burp issues and Venari findings set.