-
Notifications
You must be signed in to change notification settings - Fork 469
/
framework_config.cfg
59 lines (56 loc) · 4.01 KB
/
framework_config.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
VERSION: 0.12 "Wicky"
INSTALL_SCRIPT: @@@FRAMEWORK_DIR@@@/install.sh
WEB_TEST_GROUPS: @@@FRAMEWORK_DIR@@@/framework/config/web_testgroups.cfg
PLUGINS_DIR: @@@FRAMEWORK_DIR@@@/plugins/
# Default Profiles:
DEFAULT_GENERAL_PROFILE: @@@FRAMEWORK_DIR@@@/profiles/general/default.cfg
DEFAULT_RESOURCES_PROFILE: @@@FRAMEWORK_DIR@@@/profiles/resources/default.cfg
DEFAULT_WEB_PLUGIN_ORDER_PROFILE: @@@FRAMEWORK_DIR@@@/profiles/web_plugin_order/default.cfg
DEFAULT_NET_PLUGIN_ORDER_PROFILE: @@@FRAMEWORK_DIR@@@/profiles/net_plugin_order/default.cfg
# Below is to distinguish what is fuzzable from what isn't, if the question mark is in the URL, owtf will consider it "fuzzable"
REGEXP_FILE_URL: ^[^\?]+\.(xml|exe|pdf|cs|log|inc|dat|bak|conf|cnf|old|zip|7z|rar|tar|gz|bz2|txt|xls|xlsx|doc|docx|ppt|pptx)$
# Potentially small files will be retrieved for analysis
REGEXP_SMALL_FILE_URL: ^[^\?]+\.(xml|cs|inc|dat|bak|conf|cnf|old|txt)$
REGEXP_IMAGE_URL: ^[^\?]+\.(jpg|jpeg|png|gif|bmp)$
REGEXP_VALID_URL: ^(http|ftp)[^ ]+$
# This defines a special resource (shell command) in charge of outputting URLs, typically from the previously executed command (hint: search on resources.cfg):
EXTRACT_URLS_RESERVED_RESOURCE_NAME: Extract URLs
HEADERS_FOR_FINGERPRINT: Server,X-Powered-By,X-AspNet-Version,X-Runtime,X-Version,MicrosoftSharePointTeamServices
HEADERS_FOR_CLICKJACKING_PROTECTION: X-Frame-Options,X-Content-Security-Policy
#HEADERS_FOR_CORS: Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Allow-Methods,Access-Control-Allow-Headers
HEADERS_FOR_CORS: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
HEADERS_FOR_XSS_PROTECTION: X-Content-Security-Policy,X-XSS-Protection
HEADERS_FOR_CACHE_PROTECTION: Cache-Control,Pragma,Expires
HEADERS_FOR_COOKIES: Set-Cookie
HEADERS_FOR_SSL_PROTECTION: Strict-Transport-Security
COOKIE_ATTRIBUTES: secure,HttpOnly,domain,path,expires
# To be searched on response bodies:
# Format: grep_regexp_____python_regexp
# Where the _optional_ "_____python_regexp" indicates that retrieval is in two passes: grep to find matching files, then python regexp to retrieve matches from file
# Examples:
# Not implemented yet -> could be slower -> 1) grep regexp is enough: you are sure that the result will _always_ be in the same line ---> Then do _not_ set the python regexp
# 2) grep regexp is not enough: result could be in multiple lines/is complex to find ---> Then go with the python regexp for the 2nd pass
RESPONSE_REGEXP_FOR_CACHE_PROTECTION: Cache Control Meta Tags_____<META.*?HTTP-EQUIV_____(<META.*?HTTP-EQUIV.*?Pragma.*?>|<META.*?HTTP-EQUIV.*?Expires.*?>|<META.*?HTTP-EQUIV.*?Cache-Control.*?>)
RESPONSE_REGEXP_FOR_HTML_COMMENTS: HTML Comments_____<!--_____(<!--.*?-->)
RESPONSE_REGEXP_FOR_CSS_JS_COMMENTS: CSS/JS Comments_____/*_____(/\*.*?\*/)
RESPONSE_REGEXP_FOR_JS_COMMENTS: Single Line JS Comments_____[^-:]//_____[^-:](//(^dtd).*?\n)
RESPONSE_REGEXP_FOR_PHP_SOURCE: Potential PHP source code_____<?_____(<?(^xml).*?\?>)
RESPONSE_REGEXP_FOR_ASP_SOURCE: Potential ASP source code_____<%_____(<%.*?%>)
RESPONSE_REGEXP_FOR_AUTOCOMPLETE: Autocomplete fields_____type=.password_____(<form[^>]*?>|<input[^>]*?type[^>]*?password[^>]*?>)
RESPONSE_REGEXP_FOR_PASSWORDS: Password fields_____type=.password_____(<input[^>]*?type[^>]*?password[^>]*?>)
RESPONSE_REGEXP_FOR_HIDDEN: Hidden fields_____type=.hidden_____(<input[^>]*?type=[^>]*?hidden[^>]*>)
RESPONSE_REGEXP_FOR_SSI: Server Side Includes_____<!--#_____(<!--(#.*)?-->)
# The following icons _must_ exist, but you can change the icon if you wish
# WARNING!!!: The following icons are best kept as they are, if a new icon is wanted it should have the same name (at least for now):
#FIXED_ICON_MATCHES: shopping_cart
FIXED_ICON_MATCHES: target
FIXED_ICON_INFO: info
FIXED_ICON_PLUGIN_INFO: info24x24
FIXED_ICON_NOFLAG: envelope
FIXED_ICON_UNSTRIKETHROUGH: eraser
FIXED_ICON_STRICKETHROUGH: pencil
FIXED_ICON_NOTES: lamp_active
FIXED_ICON_REMOVE: delete
FIXED_ICON_REFRESH: refresh
FIXED_ICON_OPTIONS: options
COLLAPSED_REPORT_SIZE: 64