This repository has been archived by the owner on Jul 3, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
stackhawk.yml
79 lines (75 loc) · 3.21 KB
/
stackhawk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
app:
#applicationId: a629eeae-4bb9-4918-b3eb-bb141b4e8918 # This is my AppID. There are many like it, but this one is mine.
#applicationId: 4edd858d-86b7-4112-91bb-acf3fc984b6a
applicationId: e52420dd-179d-4d4e-9f95-4395f3db9b05
env: Development
# The url of your application to scan
host: ${HOST:http://localhost:8020} # (required)
# Our scanner's capability is still in Alpha; If we notice a bug we'll use this email to reach out or provide a fix.
# We will never use this contact for marketing purposes.
contactEmail: scott.gerlach@sterkherk.kerm # (optional)
# The risk level of the app
riskLevel: MEDIUM # (optional)
# The type of data sensitivity the web app mantains
appDataType: PII # (optional)
# # The name of your anti csrf parameter
antiCsrfParam: csrfmiddlewaretoken # (optional)
excludePaths:
- "/admin/logout.*" # the scanner will log itself out if you don't ignore here
#
# # Form POST based authentication configuration for scanning as a user.
# # Enabling will force the scanner to scan as an
# # authenticated user of your app.
# # Autenticated requests will pass cookies received from the form POST
# # to maintain authentication.
authentication:
# # A regex to match against http responses to determine if the scan user is
# # still logged in to your app
loggedInIndicator: "\\QLog Out\\E" # (required)
# # A regex to match against http responses to determine if the scan user is
# # logged out of your app
loggedOutIndicator: "\\Qlogin-form\\E" # (required)
# # A page that is only accessable being logged in. We will try to access this page
# # to validate authentication worked
testPath:
path: /admin/auth/user/
type: HEADER
success: ".*200.*"
# # What kind of thing will the browser pass to the server to prove it's logged in
cookieAuthorization:
cookieNames:
- "sessionid"
- "csrftoken"
usernamePassword:
type: FORM # (optional)
# # The route to a form POST to authenticate a user
loginPath: /admin/login/ # (required)
# # The route to logout a user
logoutPath: /admin/logout/ # (required)
# # The username field name in your authentication form
usernameField: username # (required)
# # The password field name in your authentication form.
passwordField: password # (required)
# # Other parameters that may be required by your log in form
otherParams: # (optional)
- name: next # The login form parameter is needed to make login work
val: "/admin/"
# # The username to authenticate as when scanning
scanUsername: admin # (required)
# # The password of the scanUsername
scanPassword: adminpassword # (required)
hawk:
# # Web crawler / spider configuration
spider:
# # Enable the base spider for discovering your app's routes
base: true # (default)
# # Enable the ajax spider for discovering your single page app
# ajax: false # (default)
# # Maximum time for spider to discover routes in your app
maxDurationMinutes: 5
# # Maximum time to wait for the scanner to start up
# startupTimeoutMinutes: 5 # (default)
config:
- "spider.processform=true"
- "spider.postform=false"
- "spider.handleParameters=IGNORE_VALUE"