Version 3.5 - Feb 2022

Venari 3.5 introduces 'point and shoot' API scanning, customizable digital signatures for API testing and a new static analysis job that runs SemGrep rules. The API scanning capability introduces radically simplified application onboarding by combining a simple wizard with intelligent authentication analysis. Authentication and authorization information is automatically mined from Open API specifications and Postman collections during the API definition import step. Version 3.5 also improves two-way Burp integration via new features in the Auto-Mapper plugin.

Log4J detection uses the new Venari Watcher service to eliminate false positives. The Log4J vulnerability detection rule can use the publicly available Venari Watcher service or a private instance that can be downloaded from the Assert Security GitHub repository.

See the list below for the full set of new features and enhancements.

Highlights

• API Scan Job (Point and Shoot)
• Static Analysis Scan Job
• Application Wizard
• Log4J Vulnerability Detection
• User Interface Improvements
• Combined Findings - all Scan Types
• Bulk Application Importing
• Bulk Application Run
• Bulk Application Delete
• Web Traffic Playground
• Venari DevOps Improvements
• Burp Auto-Mapper Enhancements
• Custom Digital Signatures
• Host-Filtered Traffic
• Rate limiting
• New Rules

API Scan Job

Venari 3.5 brings API scan onboarding to the next level of ease of use and and smart auto-configuration. Security testers can import an API definition in a single step using the new scan wizard and the importer will detect, configure and prompt the user for required authorization inputs. The wizard creates an API scan job template that can be started with a single button click. The API scan Templates can be edited in the advanced web traffic playground and information from multiple sources can be aggregated for full coverage opf all API operations.

The screenshot below shows API-specific findings from a point and shoot API scan.

The animation below shows the entire onboarding and scan start process.

Import API Artifacts

The screenshot below shows the API definition page in the new scan wizard. Users select the Open API definition file (or URL) or the Postman collection file that describes the API. Raw HTTP traffic captures can also be imported as API data sources. Currently supported sources of traffic are Burp, HAR, Fiddler and Assert Security's HTTP export format.

Input Authorization Information

Authorization requirements are automatically detected from the definition file (or URL) and these requirements are presented to the user as simple choices in the scan wizard shown below. Authorization mapping to individual API operations is configured during the import.

API Scan Job Template

The API scan can be started by clicking the play button in the screen below.

Curate API Test Workflows

When an API definition is imported by the scan wizard, the resulting application will contain a traffic definition that groups API operations into workflows that are used in the scan template. The view below shows the web traffic playground where these definitions can be edited via drag/drop operations. The traffic definition editor (playground) also has a TEST button to try out individual operations or groups while variable values are being curated to optimize the API traffic. The Venari scan engine uses the traffic definition as a functional baseline for sending requests. These requests and their responses drive the inspection and fuzzing algorithms to find vulnerabilities.

The screen shot below shows the result of clicking the test button. The variable values are already pre-configured from the import step where the authorization information was analyzed and auto-configured.

Static Analysis Scan Job

The Venari job framework supports multiple scan types. Starting in release 3.5, API scanning and SemGrep static analysis templates have been added. SemGrep is an open source project for rule-driven static analysis of source code to find security vulnerabilities.

To run SemGrep static scans, you must first build a Docker Integration Image to be run alongside Venari DevOps Edition.

The screen shot below shows the results of a static analysis scan of a known-vulnerable, open source web application. The scan was run using imported SemGrep rules and pulling source code from a public GitHub repository.

The animation below shows the findings tree where source code information can be viewed for each finding.

Application Wizard

Venari 3.5 introduces an application wizard for creating new application containers with pre-generated job templates. The wizard can onboard a new application and simultaneously create any/all of the following scan job types:

• Dynamic Application Security Test Scan (DAST)
• Static Analysis of Source Code via SemGrep (SAST)
• API Scan from a definition URL or file

The wizard will collect all required information for the new application and will generate initial job templates for API, DAST and/or SAST scan types depending on which items the user configures. The wizard also allows proxy connection information to be input up front.

The animation below shows a test application being created for the case when all inputs are available: source code, API definition and application URL. Templates will be generated for all three scan types within the same application.

The screen shots below show the individual UI steps for onboarding a single application for API, SAST and DAST scans.

Enter Application Name

Enter Start URL for the DAST scan

Enter Auto-Login credentials for the DAST scan

Enter OpenAPI Definition Information for the API Scan

Enter Git Repo Information for Static Scan

Review Templates

Enter API Credentials

Note New Application Templates

Log4J Vulnerability Detection

Venari 3.5 detects the critical Apache Log4J Vulnerability using a method that avoids false-positives.

The sequence of steps below demonstrates the vulnerability detection using a Docker container running a known-vulnerable application. The proof of remote code execution is provided by the Venari Watcher service which records a unique value being transmitted to the watcher service from the vulnerable application.

Scan the Vulnerable Application

The screen shot below shows the Log4J finding in the summary.

Verify Vulnerability in the Findings Tab

The screen shot below shows the attack with the generated unique value ea811198-c0f4-4c6b-bd92-7308d25f9627 in the attack payload of the POST request. Note that the response shows a message from the server indicating that the payload was logged.

The screen shot below shows the verification request from Venari to the Venari Watcher service. The watcher service confirms that it received a request containing the generated unique number which proves that the attack caused the application under test to run the code supplied in the attack.

The Venari watcher service can be run locally by pulling code from the GitHub repo and following the instructions.

Venari DevOps Improvements

Venari DevOps edition has streamlined initial deployment and setup of the scan cluster. The Authentication server has been merged into the orchestrator node to further simplify deployments.

Simplified DevOps Setup

Refer to the Venari DevOps GitHub repo for full details on setting up a Devops cluster.

Authentication Server Improvements

Venari DevOps now supports multiple users and a simple user management UI for administrators. The animation below shows the process of adding a new user.

User Interface Improvements

Various user interface improvements improve usability through color coding and grouping of findings as well as layout changes to optimize information organization.

Summary Tab Findings

The screen shot below shows the summary tab findings panel with color-coded severity and grouping.

Findings Layout Changes

The screen shot below shows the findings tab with new layout, color-coded severity and grouping.

Traffic View Changes

The screen shot below shows the traffic view modified for easier navigation and filtering.

Jump to Finding

The screen shot below shows a findings label in the summary view that is a live link to a finding in the detailed findings tab.

Formatted Response Bodies

Response views now have an additional tab to see a formatted (beautified) view of the contents.

Traffic Layout Choices

HTTP request and response view layout can now be changed by the user between Left-Right and Top-Bottom orientations based on preference.

Traffic Send to Playground (or Definition)

HTTP Requests from traffic views can now be sent to the web traffic playground with a single button click. Alternatively, requests can be imported into the playground without immediately switching views. The menu of choices for sending traffic to either the playground or to traffic definitions is shown in the screen shot below.

Edit Findings at Job Level

The screen shot below shows a job-level finding being edited in the findings view.

Combined Findings - all Scan Types

Applications can now contain job templates and completed jobs for multiple types of analysis including DAST, SAST and API fuzzing scans. The application can be configured to generate all of these template types in the scan wizard and also aggregate all findings for the application at the workspace level. These combined results can be found in the left hand side Findings tab.

The screen shot below shows combined dynamic, static and API findings.

Bulk Application Importing

Users can now import a batch of applications from a CSV file where each row designates the start URL and – optionally – an application name, username and password. If no application name is specified, then the host name is used as the application name. If no username and password are specified, then the authenticated templates are not generated, but the remaining templates are generated.

The CSV text below is an example of the proper file format.

https://public-firing-range.appspot.com/,Google Firing Range http://localhost:3000,Demo Application,joe.blow@foo.com,abc123

The animation below shows the process of selecting a CSV file and importing a list of applications into Venari as a batch.

Bulk Application Run

Venari 3.5 now supports a batch mode for scan job startup via simple UI selection and a button click. There is a new scan template called 'Sample' that is extremely useful in these bulk run scenarios. Sample scans run a browser load of the landing page which causes fingerprinting of version information to occur. The sample scan also runs a fast spider crawl from force browsed links plus any links harvested from the single page browse. This type of scan typically runs fast and answers basic questions about whether auto-login succeeded and which technologies could be fingerprinted from the sample content. A batch scan using the sample template is a great way to quickly determine which applications have been onboarded successfully with working login.

The animation below shows the process of enqueueing multiple scan jobs to start in the order of selection.

Bulk Application Delete

Users can now delete applications in bulk if needed.

The animation below shows the process of deleting multiple applications.

Web Traffic Playground

Venari 3.5 introduces a new web traffic playground view that is useful for the following scenarios:

• Scratchpad testing for trying out new HTTP request variations for any request found in any traffic view in Venari.
• Importing traffic from a Burp test session via the Auto-Mapper plugin to do variation testing.
• Running individual Venari rules against specific HTTP requests and variables.
• Testing point and shoot API job template requests generated by the scan wizard.
• Testing imported API definitions to manually optimize traffic to be used in DAST and/or API scans.

The playground allows users to experiment with variable sections of text bracketed in {} pairs. These regions are called text templates and the Venari scan engine and playground allow advanced operations like variable assignment and dynamic variable generation (similar to the postman $ variable syntax). Additionally, complex, nested expressions with functions, text templates and dynamic variables can be combined to make payload customization simple.

As an example, the snippet below contains variables 'basepath', 'username' and 'password' and also contains a function expression to base64 encode the concatenated credentials. The $guid dynamic variable will be resolved at runtime into a new text token that matches the expected guid (uuid) format.

The root / node in the playground's request template tree shows an editable grid of variable values.

POST /{basepath}/login HTTP/1.1
Content-Type: application/json

{
   "encodedCredentials" : "$(base64encode{username}/{password})",
   "requestID" : "{$guid}"
}

The sections below highlight some of the web traffic playground use cases.

View Request from Traffic Tab in Playground

Running individual Venari Rules

Test API Group Generated by Scan Wizard

Burp Auto-Mapper Enhancements

The Venari Auto-Mapper Burp Plugin now has the ability to send HTTP requests to Venari for use in the web traffic playground.

The animation below shows a request from the Burp proxy history view being sent to the Venari traffic playground.

Custom Digital Signatures

The Venari HTTP request framework has new capabilities to support custom digital signatures. These signatures can be computed from individually specifiable parts of an HTTP request as well as external info (like API keys) and generated nonces. A signature builder UI in the job template Login tab allows the user to specify the following:

• Which request component(s) contribute to the signature
• Which order to use when joining the parts into a token string
• The crypto algorithm to use when signing the token string
• The final encoding of the signature
• The location of the signature in the final request

The animation below shows an example of specifying a digital signature for a request and testing it. The same UI is available in the job template editor under the Login tab in the Signing section.

Host-Filtered Traffic

Starting with version 3.5, traffic views can be filtered by selecting specific hosts in the tree by checking a checkbox. When any host(s) is checked, the set becomes a filter for which traffic is displayed in the grid view to the right. This is particularly useful in trimming down proxy intercept captures.

The animation below shows www.cnn.com being selected as the exclusive host to display from a large set of captured traffic.

Rate limiting

The Limits tab now contains a sub-tab to enforce a request rate limit for non-browser HTTP requests. These limits can optionally be applied per matching URL pattern. The Venari requestor now respects 429 status code responses and adaptively waits the request rate when these are encountered.

The animation below shows a rate limit of 10 requests per second being configured in a job template. Note that the time threshold is specified in milliseconds.

New Rules

Every new release of Venari comes with new rules and updates to existing rules. The following findings-related items were added for Venari 3.5:

• Log4Shell detection via security rule and new Venari Watcher service
• Client-side template injection rule
• Direct API access from client (AWS) rules
• Technology fingerprinting rules for extracting versions from headers, response content and JS object state
• Selectable authorization rules to run complex pre-scan state gathering steps. Can be manually assigned in scan templates or chosen automatically by API definition imports.

• CVE-based rules

  • TinyMCE
  • Froala
  • Joomla
  • Dojo

• Venari can now flag XSS for traffic collection based analysis (when response is HTML)

• Custom Digital Signature rules via the signature builder UI
• SemGrep rules can be imported via the Rule tab and selected in static analysis job templates