-
Notifications
You must be signed in to change notification settings - Fork 178
/
Copy pathconfig.xml
71 lines (57 loc) · 2.87 KB
/
config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<?xml version="1.0" encoding="ISO-8859-1" ?>
<web-app>
<!-- The settings in this file are for the demo ropey-tasks vulnerable web app available at: https://github.com/stephendv/RopeyTasks,
which is included in the bdd-security framework for demo purposes. -->
<!-- The web driver to use, can be either Firefox, Chrome or HtmlUnit. Optionally specify path to the driver (required for linux)
Some drivers require a path to the platform specific driver binary, for example chrome needs chromedriver. If these values are not specified, we'll use HtmlUnit
<defaultDriver>firefox</defaultDriver>
<defaultDriver path="src/test/resources/drivers/chromedriver-mac">Chrome</defaultDriver> -->
<!-- Base URL of the application to test -->
<baseUrl>http://localhost:8080/</baseUrl>
<!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
<class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
<!-- In order to install sslyze on a Linux system, these steps must be followed
apt-get update
apt-get install python-pip
pip install sslyze
-->
<sslyze>
<path>sslyze</path>
<option>--regular</option>
<targetHost>www.continuumsecurity.net</targetHost>
<targetPort>443</targetPort>
</sslyze>
<!-- Optional names of the session ID cookies for session management testing. -->
<sessionIds>
<name>JSESSIONID</name>
</sessionIds>
<!-- the default user to use when logging in to the app -->
<defaultUsername>bob</defaultUsername>
<defaultPassword>password</defaultPassword>
<scanner>
<ignoreUrl>.*logout.*</ignoreUrl>
<spiderUrl>baseUrl</spiderUrl>
<maxDepth>5</maxDepth>
</scanner>
<!-- An upstream proxy through which all HTTP traffic must pass before hitting the target
application under test. The framework will configure both the WebDriver instance and ZAP to use this proxy. Note that non-HTTP traffic will not use this proxy. -->
<upstreamProxy>
<host></host>
<port></port>
<noProxyHosts></noProxyHosts><!-- ie: localhost,127.0.0.1,192.168.10.2 -->
</upstreamProxy>
<incorrectPassword>SDFsdfwjx1</incorrectPassword>
<incorrectUsername>bobbles</incorrectUsername>
<!-- Optional login credentials for the Nessus server, the server location is specified in the nessus_scan.story file -->
<nessus>
<username>admin</username>
<password>admin</password>
</nessus>
<!-- Optional location of a running OWASP ZAP instance. Either an external- already running ZAP instance must be specified here, or the zapPath must be specified to launch ZAP
<proxy>
<host>127.0.0.1</host>
<port>8888</port>
<api></api>
</proxy>-->
<zapPath>zap/zap.sh</zapPath>
</web-app>