# -----------------------------------------------------------------------------------------------------------
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------

# Configure HTTP settings
http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
{{if .W3AF_BASIC_AUTH_DOMAIN }}
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{end}}
{{ end }}
back

# Configure scanner global behaviors
misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back

profiles
use {{ default "audit_high_risk" .W3AF_PROFILE }}
back

plugins

# Configure rfi plugin
audit rfi
audit config rfi
set listen_address "0.0.0.0"
set listen_port 44449
set use_w3af_site True
back

{{ if .W3AF_AUTH_FORM_URL }}
# Configure target authentication
auth detailed
auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }}
set password {{ .W3AF_AUTH_FORM_PASSWORD }}
set method POST
set auth_url {{ .W3AF_AUTH_FORM_URL }}
set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
back
{{end}}


# Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
set verbose {{ default "False" .W3AF_VERBOSE }}
back

output config console
set verbose {{ default "False" .W3AF_VERBOSE }}
back
back

# Set target informations, do a cleanup and run the scan
target 
set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }}
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
back

back

cleanup
start
exit