Jenkins/resources/com/cadoles/w3af/audit.w3af.tmpl

# -----------------------------------------------------------------------------------------------------------
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------

#Configure HTTP settings
http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
{{if .W3AF_BASIC_AUTH_DOMAIN }}
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{end}}
{{ end }}
back

#Configure scanner global behaviors
misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back

profiles
use {{ default "audit_high_risk" .W3AF_PROFILE }}
back

plugins

{{ if .W3AF_AUTH_FORM_URL }}
#Configure target authentication
auth detailed
auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }}
set password {{ .W3AF_AUTH_FORM_PASSWORD }}
set method POST
set auth_url {{ .W3AF_AUTH_FORM_URL }}
set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
back
{{end}}


#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
set verbose {{ default "False" .W3AF_VERBOSE }}
back

output config console
set verbose {{ default "False" .W3AF_VERBOSE }}
back
back

#Set target informations, do a cleanup and run the scan
target 
set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }}
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
back

back

cleanup
start
exit
fixup! Web security audit base pipeline 2019-04-15 20:50:20 +02:00			`# -----------------------------------------------------------------------------------------------------------`
			`# W3AF AUDIT SCRIPT FOR WEB APPLICATION`
			`# -----------------------------------------------------------------------------------------------------------`

			`#Configure HTTP settings`
			`http-settings`
			`set timeout {{ default 10 .W3AF_TIMEOUT }}`
			`{{ if .W3AF_BASIC_AUTH_USERNAME }}`
			`set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}`
			`set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}`
			`{{if .W3AF_BASIC_AUTH_DOMAIN }}`
			`set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}`
			`{{end}}`
			`{{ end }}`
			`back`

			`#Configure scanner global behaviors`
			`misc-settings`
			`set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}`
			`set fuzz_cookies True`
			`set fuzz_form_files True`
			`set fuzz_url_parts True`
			`set fuzz_url_filenames True`
			`back`

			`profiles`
			`use {{ default "audit_high_risk" .W3AF_PROFILE }}`
			`back`

			`plugins`

			`{{ if .W3AF_AUTH_FORM_URL }}`
			`#Configure target authentication`
			`auth detailed`
			`auth config detailed`
			`set username {{ .W3AF_AUTH_FORM_USERNAME }}`
			`set password {{ .W3AF_AUTH_FORM_PASSWORD }}`
			`set method POST`
			`set auth_url {{ .W3AF_AUTH_FORM_URL }}`
			`set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}`
			`set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}`
			`set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}`
			`set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}`
			`set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'`
			`back`
			`{{end}}`


			`#Configure reporting in order to generate an HTML report`
			`output console, html_file`
			`output config html_file`
			`set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html`
			`set verbose {{ default "False" .W3AF_VERBOSE }}`
			`back`

			`output config console`
			`set verbose {{ default "False" .W3AF_VERBOSE }}`
			`back`
			`back`

			`#Set target informations, do a cleanup and run the scan`
			`target`
			`set target {{ .W3AF_TARGET_URL }}`
			`set target_os {{ default "unix" .W3AF_TARGET_OS }}`
			`set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}`
			`back`

			`back`

			`cleanup`
			`start`
			`exit`