Re-Introducing the Tenable WAS reporter
If you are serious about protecting your external assets you should be at least scanning your important Web apps with a DAST scanner. Dynamic Application Security Testing is a crucial component to eliminating external exposures before they are found by attackers. DAST scanning doesn’t come without challenges as Tenable explains below:
Tenable has one of the most accurate and easy-to-use DAST scanners on the market. While Tenable iterates over Web App reporting we will explore what’s possible with the Tenable WAS V2 API and discuss how easy it can be to accomplish simple reporting.
You said Re-introduction?
I built this project two years ago and didn’t really nurture its development. Tenable then improved their APIs by better organizing the Web Application Scanning data. Some of those improvements came with deprecation of the APIs I was using essentially breaking the project.
With the holiday season in full effect, I happen to have a bit of free time and decided to re-wire the project to the new APIs. However, this time around I decide to drop everything into the navi database.
Putting everything into the navi database does add a bit of time downloading on the front-end. However, the trade-off is a faster UI AND this will enable WAS tagging!
While I haven’t finished WAS tagging in navi yet, this project provided a tremendous amount of code base to enable advanced tagging on WAS assets in Tenable.io. You can expect to see tagging on WAS assets before the end of the year. Stay tuned.
Now, if you haven’t been paying attention to what Tenable has cooked up, you should check out Tenable One! Tagging is a central component to Tenable’s scoring and risk ranking dashboards. As such, I will be spending some extra free time improving Navi to tag all the things!
Finally, Introducing was-reporter
The navi was-reporter is a docker container which hosts a flask website that points to the navi database and displays web application scan results for simple reporting.
There are three ways to run this project; a simple command from navi, manually using docker or by cloning the project on GitHub. The easiest of course is to use the navi deploy command:
navi deploy was-reporterNote: Available in navi 7.1.13+
Running the above command will prompt you with a confirmation to download the docker container: silentninja/navi:was and run it on port 5004.
While the container kicks off right away, behind the scenes it is downloading all of your scans. So be patient, this can take some time. Navigating to the site to early will yield an error message. Use docker attach if you think there is a problem.
After 5–20 minutes, navigate to http://localhost:5004 or http://<your ip>:5004 to see the consolidated WAS page. Your page should look something similar to the below screenshot:
There are two links available for each WAS card; Scan details and Individual scan configs. The scan details link is under the date on each card. As you can see, this page is quite detailed with each plugin displayed as well as a decent overview:
To retrieve all of the available scans for a particular scan configuration navigate to the scan name on each card:
To actually report, print to PDF. The project was designed to be printed using PDF, so it may look weird on large wide-screens.
As you get to play around with the project, you will see this is not a robust reporting solution. However, it may just be good enough or it might seed a bigger better development for more robust reporting. After all it is open source!
If you’re trying to learn flask or you need to report the basics on Tenable WAS data I hope you found value in this project. Thanks for reading!
Stay tuned for WAS tagging!
