forked from kaakaww/hawkscan-examples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
stackhawk-auth-json-token-custom1.yml
57 lines (57 loc) · 2.96 KB
/
stackhawk-auth-json-token-custom1.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Username and password credentials via a JSON POST w/ header token for access to authorized routes.
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
env: Development
host: ${APP_HOST:http://localhost:9000}
# How should the scanner authenticate to your application when performing a scan.
authentication:
# A username/password based authentication scheme
usernamePassword:
# The Content-Type expected by the loginPath JSON = application/json
type: JSON
# The path to POST username/password credentials to.
loginPath: /login
# The path to POST username/password credentials to.
usernameField: email
# The name of the password field
passwordField: password
# The value of the username field
scanUsername: "[email protected]"
# The value of the password field
scanPassword: ${SCAN_PASSWORD:changeme}
# Extra fields and their values to be included in the POST data to loginPath
# in addition to the username/password.
otherParams:
- name: "rememberMe"
val: "true"
# If your authentication state is not maintained server side via a Cookie
# the tokenExtraction describes how to extract the token from the supplied credential type
# like usernamePassword in this case. The token extracted will be the value used by tokenAuthorization
# for access to authenticated routes.
tokenExtraction:
# The type of extraction. In this case we're expecting the authorization token
# To be returned as a custom header, X-AuthToken, from a successful authentication.
type: HEADER
# The name of the header in the response from authentication.
value: X-AuthToken
# Token based authorization. If your app doesn't use cookies to maintain session/authorization state then
# you'll likely need to pass the token on every request to the authenticated routes of your application.
tokenAuthorization:
# The method by which the token will be passed to your application.
# In this case a header is expected
type: HEADER
# The name of the header that the token will be passed with requests authenticated routes.
# This is a custom header name approach and each request to your app will be passwed the token via
# this header name ex: X-AuthToken: <token>
value: X-AuthToken
loggedInIndicator: "\\QSign out\\E"
loggedOutIndicator: "\\QSign in\\E"
# The testPath configuration is used to confirm scanning as an authenticated user is configured successfully.
testPath:
# The type is either HEADER or BODY and informs the success or fail regex of what part of the response to match against.
type: HEADER
# A path to validate that authentication was successful. This path should be only accessible to authenticated users.
path: /profile
# Success criteria regex pattern.
# A successful match indicates that the response from the path specified was successful
success: ".*200.*"