in dusty/scanners/dast/zap/scanner.py [0:0]
def fill_config(data_obj):
""" Make sample config """
data_obj.insert(
len(data_obj), "scan_types", "all",
comment="ZAP scan type, supported any combination of: 'all', 'xss', 'sqli'"
)
data_obj.insert(len(data_obj), "target", "http://app:8080", comment="scan target")
data_obj.insert(
len(data_obj), "context_file", "/path/to/zap_context",
comment="(optional) Path to ZAP context file"
)
data_obj.insert(
len(data_obj), "include", ["http://app:8080/path.*"],
comment="(optional) URLs regex to additionally include in scan"
)
data_obj.insert(
len(data_obj), "exclude", ["http://app:8080/logout.*"],
comment="(optional) URLs regex to exclude from scan"
)
data_obj.insert(
len(data_obj), "exclude_from_context", True,
comment="(optional) True/False to add data from exclude option." \
"Or URLs regex list to exclude from context"
)
data_obj.insert(
len(data_obj), "exclude_from_spider", True,
comment="(optional) True/False to add data from exclude option." \
"Or URLs regex list to exclude from spider"
)
data_obj.insert(
len(data_obj), "exclude_from_ascan", True,
comment="(optional) True/False to add data from exclude option." \
"Or URLs regex list to exclude from active scan"
)
data_obj.insert(
len(data_obj), "exclude_from_proxy", True,
comment="(optional) True/False to add data from exclude option." \
"Or URLs regex list to exclude from proxy"
)
data_obj.insert(
len(data_obj), "logged_in_indicator", "Logout",
comment="(optional) Response regex that is always present for authenticated user"
)
data_obj.insert(
len(data_obj), "logged_out_indicator", "Register a new account",
comment="(optional) Response regex that is present for unauthenticated user"
)
data_obj.insert(
len(data_obj), "auth_login", "user",
comment="(optional) User login for authenticated scan"
)
data_obj.insert(
len(data_obj), "auth_password", "P@ssw0rd",
comment="(optional) User password for authenticated scan"
)
data_obj.insert(
len(data_obj), "auth_script", CommentedSeq(),
comment="(optional) Selenium-like script for authenticated scan"
)
script_obj = data_obj["auth_script"]
for command in [
{"command": "open", "target": "%Target%/login", "value": ""},
{"command": "waitForElementPresent", "target": "id=login_login", "value": ""},
{"command": "waitForElementPresent", "target": "id=login_password", "value": ""},
{"command": "waitForElementPresent", "target": "id=login_0", "value": ""},
{"command": "type", "target": "id=login_login", "value": "%Username%"},
{"command": "type", "target": "id=login_password", "value": "%Password%"},
{"command": "clickAndWait", "target": "id=login_0", "value": ""}
]:
command_obj = CommentedMap()
command_obj.fa.set_flow_style()
for key in ["command", "target", "value"]:
command_obj.insert(len(command_obj), key, command[key])
script_obj.append(command_obj)
data_obj.insert(
len(data_obj), "bind_all_interfaces", True,
comment="(optional) Bind ZAP to all interfaces or only to localhost"
)
data_obj.insert(
len(data_obj), "daemon_debug", False,
comment="(optional) Send ZAP daemon output to stdout"
)
data_obj.insert(
len(data_obj), "java_options", "-Xmx499m",
comment="(optional) Java options for ZAP daemon"
)
data_obj.insert(
len(data_obj), "split_by_endpoint", False,
comment="(optional) Create separate findings for every endpoint"
)
data_obj.insert(
len(data_obj), "save_intermediates_to", "/data/intermediates/dast",
comment="(optional) Save scan intermediates (raw results, logs, ...)"
)