2019-04-15 20:50:20 +02:00
|
|
|
# -----------------------------------------------------------------------------------------------------------
|
|
|
|
# W3AF AUDIT SCRIPT FOR WEB APPLICATION
|
|
|
|
# -----------------------------------------------------------------------------------------------------------
|
|
|
|
|
2019-04-29 16:46:17 +02:00
|
|
|
# Configure HTTP settings
|
2019-04-15 20:50:20 +02:00
|
|
|
http-settings
|
2019-12-26 13:58:42 +01:00
|
|
|
set timeout {{ default 30 .W3AF_TIMEOUT }}
|
2019-04-15 20:50:20 +02:00
|
|
|
{{ if .W3AF_BASIC_AUTH_USERNAME }}
|
|
|
|
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
|
|
|
|
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
|
|
|
|
{{if .W3AF_BASIC_AUTH_DOMAIN }}
|
|
|
|
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
|
|
|
|
{{end}}
|
|
|
|
{{ end }}
|
|
|
|
back
|
|
|
|
|
2019-04-29 16:46:17 +02:00
|
|
|
# Configure scanner global behaviors
|
2019-04-15 20:50:20 +02:00
|
|
|
misc-settings
|
|
|
|
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
|
|
|
|
set fuzz_cookies True
|
|
|
|
set fuzz_form_files True
|
|
|
|
set fuzz_url_parts True
|
|
|
|
set fuzz_url_filenames True
|
|
|
|
back
|
|
|
|
|
|
|
|
profiles
|
|
|
|
use {{ default "audit_high_risk" .W3AF_PROFILE }}
|
|
|
|
back
|
|
|
|
|
|
|
|
plugins
|
|
|
|
|
2019-04-29 16:46:17 +02:00
|
|
|
# Configure rfi plugin
|
|
|
|
audit rfi
|
|
|
|
audit config rfi
|
|
|
|
set listen_address "0.0.0.0"
|
|
|
|
set listen_port 44449
|
|
|
|
set use_w3af_site True
|
|
|
|
back
|
|
|
|
|
2019-04-15 20:50:20 +02:00
|
|
|
{{ if .W3AF_AUTH_FORM_URL }}
|
2019-04-29 16:46:17 +02:00
|
|
|
# Configure target authentication
|
2019-04-15 20:50:20 +02:00
|
|
|
auth detailed
|
|
|
|
auth config detailed
|
2019-12-24 12:54:32 +01:00
|
|
|
set username '{{ .W3AF_AUTH_FORM_USERNAME }}'
|
|
|
|
set password '{{ .W3AF_AUTH_FORM_PASSWORD }}'
|
2019-04-15 20:50:20 +02:00
|
|
|
set method POST
|
|
|
|
set auth_url {{ .W3AF_AUTH_FORM_URL }}
|
2019-12-24 12:54:32 +01:00
|
|
|
set username_field '{{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}'
|
|
|
|
set password_field '{{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}'
|
|
|
|
set data_format '{{ default "%u=%U&%p=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}'
|
2019-04-15 20:50:20 +02:00
|
|
|
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
|
2019-12-24 12:54:32 +01:00
|
|
|
set check_string '{{ default "connected" .W3AF_AUTH_FORM_CHECK_STRING }}'
|
|
|
|
set follow_redirects True
|
|
|
|
back
|
|
|
|
{{end}}
|
|
|
|
|
|
|
|
{{ if .W3AF_AUTH_LOGOUT_URL_REGEX }}
|
|
|
|
crawl web_spider
|
|
|
|
crawl config web_spider
|
|
|
|
set ignore_regex {{ .W3AF_AUTH_LOGOUT_URL_REGEX }}
|
2020-08-10 15:03:40 +02:00
|
|
|
set only_forward {{ default "True" .W3AF_SPIDER_ONLY_FORWARD }}
|
2019-04-15 20:50:20 +02:00
|
|
|
back
|
|
|
|
{{end}}
|
|
|
|
|
|
|
|
|
2019-04-29 16:46:17 +02:00
|
|
|
# Configure reporting in order to generate an HTML report
|
2019-04-15 20:50:20 +02:00
|
|
|
output console, html_file
|
|
|
|
output config html_file
|
|
|
|
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
|
|
|
|
set verbose {{ default "False" .W3AF_VERBOSE }}
|
|
|
|
back
|
|
|
|
|
|
|
|
output config console
|
|
|
|
set verbose {{ default "False" .W3AF_VERBOSE }}
|
|
|
|
back
|
|
|
|
back
|
|
|
|
|
2019-04-29 16:46:17 +02:00
|
|
|
# Set target informations, do a cleanup and run the scan
|
2019-04-15 20:50:20 +02:00
|
|
|
target
|
|
|
|
set target {{ .W3AF_TARGET_URL }}
|
|
|
|
set target_os {{ default "unix" .W3AF_TARGET_OS }}
|
|
|
|
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
|
|
|
|
back
|
|
|
|
|
|
|
|
back
|
|
|
|
|
|
|
|
cleanup
|
|
|
|
start
|
|
|
|
exit
|