-
Notifications
You must be signed in to change notification settings - Fork 1
/
stackhawk.yml
87 lines (77 loc) · 3.02 KB
/
stackhawk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# StackHawk configuration file for Vulny_Django
app:
applicationId: a629eeae-4bb9-4918-b3eb-bb141b4e8918 # This is my AppID. There are many like it, but this one is mine.
env: Development
# The url of your application to scan
host: http://localhost:8020 # (required)``
# The risk level of the app
riskLevel: MEDIUM # (optional)
# The type of data sensitivity the web app mantains
appDataType: PII # (optional)
# # The name of your anti csrf parameter
#antiCsrfParam: csrfmiddlewaretoken # (optional)
excludePaths:
- "/admin/logout.*" # the scanner will log itself out if you don't ignore here
#includePaths:
# - "/"
# - "/polls.*"
# - ""
#
# # Form POST based authentication configuration for scanning as a user.
# # Enabling will force the scanner to scan as an
# # authenticated user of your app.
# # Autenticated requests will pass cookies received from the form POST
# # to maintain authentication.
# authentication:
## # A regex to match against http responses to determine if the scan user is
## # still logged in to your app
# loggedInIndicator: "\\QLog Out\\E" # (required)
## # A regex to match against http responses to determine if the scan user is
## # logged out of your app
# loggedOutIndicator: "\\Qlogin-form\\E" # (required)
## # A page that is only accessable being logged in. We will try to access #this page
## # to validate authentication worked
# testPath:
# path: /admin/auth/user/
# type: HEADER
# success: ".*200.*"
## # What kind of thing will the browser pass to the server to prove it's #logged in
# cookieAuthorization:
# cookieNames:
# - "sessionid"
# - "csrftoken"
# usernamePassword:
#
# type: FORM # (optional)
## # The route to a form POST to authenticate a user
# loginPath: /admin/login/ # (required)
## # The route to logout a user
# logoutPath: /admin/logout/ # (required)
## # The username field name in your authentication form
# usernameField: username # (required)
## # The password field name in your authentication form.
# passwordField: password # (required)
## # Other parameters that may be required by your log in form
# otherParams: # (optional)
# - name: next # The login form parameter is needed to make login work
# val: "/admin/"
## # The username to authenticate as when scanning
# scanUsername: admin # (required)
## # The password of the scanUsername
# scanPassword: adminpassword # (required)
#hawk:
# # Web crawler / spider configuration
# # Maximum time to wait for the scanner to start up
# startupTimeoutMinutes: 5 # (default)
hawk:
failureThreshold: high
# spider:
# # Enable the base spider for discovering your app's routes
# base: true # (default)
# # Enable the ajax spider for discovering your single page app
# ajax: false # (default)
# # Maximum time for spider to discover routes in your
appmaxDurationMinutes: 5
config:
- "spider.processform=true"
- "spider.handleParameters=IGNORE_VALUE"