Lab 5 Notes - HackMD

# Lab 5 Notes 1. Passive scan # Complete configuration for DWVA StackHawk Scan app: applicationId: 609d3bcb-bd4a-42d1-bd44-5288e3a477b1 env: Development # The url of your application to scan host: http://192.168.122.244:8080 # (required) hawk: # # Web crawler / spider configuration spider: # # Enable the base spider for discovering your app's routes base: true # (default) 2. Auth scan # Complete configuration for DWVA StackHawk Scan app: applicationId: 609d3bcb-bd4a-42d1-bd44-5288e3a477b1 env: Development # The url of your application to scan host: http://192.168.122.244:8080 # (required) # Our scanner's capability is still in Alpha; If we notice a bug we'll use this email to reach out or provide a fix. # We will never use this contact for marketing purposes. #contactEmail: steve.s.hawk@example.com # (optional) # The risk level of the app #riskLevel: MEDIUM # The DVWA poses a Medium risk to my fictional company # The type of data sensitivity the web app maintains #appDataType: PII # It holds PII data and that's pretty much it sessionTokens: # the session cookies DVWA uses in some fashion - "PHPSESSID" - "dvwaSession" # # The name of your anti csrf parameter antiCsrfParam: user_token # here we define the CSRF field name so the scanner can pick it up # # Form POST based authentication configuration for scanning as a user. # # Enabling will force the scanner to scan as an # # authenticated user of your app. # # Authenticated requests will pass cookies received from the form POST # # to maintain authentication. authentication: # # A regex to match against http responses to determine if the scan user is # # still logged in to your app loggedInIndicator: "\\QLogout\\E" # (required) # # A regex to match against http responses to determine if the scan user is # # logged out of your app loggedOutIndicator: "\\QloginInput\\E" # (required) # # A page that is only accessable being logged in. We will try to access this page # # to validate authentication worked testPath: path: /vulnerabilities/javascript/ type: HEADER success: ".*200.*" # # What kind of thing will the browser pass to the server to prove it's logged in cookieAuthorization: cookieNames: - "PHPSESSID" - "dvwaSession" usernamePassword: type: FORM # (optional) # # The route to a form POST to authenticate a user loginPath: /login.php # (required) # # The route to logout a user logoutPath: /logout.php # (required) # # The username field name in your authentication form usernameField: username # (required) # # The password field name in your authentication form. passwordField: password # (required) # # Other parameters that may be required by your log in form otherParams: # (optional) - name: Login # The login form parameter is needed to make login work val: "Login" - name: "security" #I'm not sure what this does in the app, but scans don't work without it val: "low" # # The username to authenticate as when scanning scanUsername: admin # (required) # # The password of the scanUsername scanPassword: password # (required) hawk: # # Web crawler / spider configuration spider: # # Enable the base spider for discovering your app's routes base: true # (default) 3. Auth scan with context # Complete configuration for DWVA StackHawk Scan app: applicationId: 609d3bcb-bd4a-42d1-bd44-5288e3a477b1 env: Development # The url of your application to scan host: http://192.168.122.244:8080 # (required) # Our scanner's capability is still in Alpha; If we notice a bug we'll use this email to reach out or provide a fix. # We will never use this contact for marketing purposes. #contactEmail: steve.s.hawk@example.com # (optional) # The risk level of the app #riskLevel: MEDIUM # The DVWA poses a Medium risk to my fictional company # The type of data sensitivity the web app maintains #appDataType: PII # It holds PII data and that's pretty much it sessionTokens: # the session cookies DVWA uses in some fashion - "PHPSESSID" - "dvwaSession" # # The name of your anti csrf parameter antiCsrfParam: user_token # here we define the CSRF field name so the scanner can pick it up excludePaths: - "/setup.php" # The scanner resets the DB :) - "/security.php" #the scanner turns on PHPIDS here - "/vulnerabilities/csrf/*" #this page changes the admin password - "/logout.php" # the scanner will log itself out if you don't ignore here # # Form POST based authentication configuration for scanning as a user. # # Enabling will force the scanner to scan as an # # authenticated user of your app. # # Authenticated requests will pass cookies received from the form POST # # to maintain authentication. authentication: # # A regex to match against http responses to determine if the scan user is # # still logged in to your app loggedInIndicator: "\\QLogout\\E" # (required) # # A regex to match against http responses to determine if the scan user is # # logged out of your app loggedOutIndicator: "\\QloginInput\\E" # (required) # # A page that is only accessable being logged in. We will try to access this page # # to validate authentication worked testPath: path: /vulnerabilities/javascript/ type: HEADER success: ".*200.*" # # What kind of thing will the browser pass to the server to prove it's logged in cookieAuthorization: cookieNames: - "PHPSESSID" - "dvwaSession" usernamePassword: type: FORM # (optional) # # The route to a form POST to authenticate a user loginPath: /login.php # (required) # # The route to logout a user logoutPath: /logout.php # (required) # # The username field name in your authentication form usernameField: username # (required) # # The password field name in your authentication form. passwordField: password # (required) # # Other parameters that may be required by your log in form otherParams: # (optional) - name: Login # The login form parameter is needed to make login work val: "Login" - name: "security" #I'm not sure what this does in the app, but scans don't work without it val: "low" # # The username to authenticate as when scanning scanUsername: admin # (required) # # The password of the scanUsername scanPassword: password # (required) hawk: # # Web crawler / spider configuration spider: # # Enable the base spider for discovering your app's routes base: true # (default)