-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.py
More file actions
103 lines (86 loc) · 3.98 KB
/
config.py
File metadata and controls
103 lines (86 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# config.py
"""
Unified security testing framework configuration
Supports: NetBear (web crawling), NextCloud (auth/IDOR/upload testing)
CUSTOMIZATION GUIDE:
- For faster scans: Reduce NETBEAR_MAX_DEPTH (1-2), NETBEAR_MAX_PAGES_PER_DOMAIN (5-10)
- For stealthier crawling: Increase NETBEAR_RATE_LIMIT_SEC (2.0-5.0)
- For custom Nuclei checks: Add YAML template paths to NUCLEI_TEMPLATES list
- For proxy scanning: Add proxy URLs to PROXIES list (supports http/socks5)
"""
# ============ GENERAL ============
REPORTS_DIR = "reports"
TARGETS_FILE = "targets.txt"
INDEX_FILE = f"{REPORTS_DIR}/index.txt"
TIMEOUT = 60000 # ms - Maximum time before Playwright operations abort
ENABLE_TRACING = True # Save Playwright trace files for debugging
MAX_RETRIES = 2 # Retry count for failed requests
# Proxy support for all modules (Burp Suite, ZAP, etc.)
# Format: ["http://proxy1:8080", "socks5://proxy2:1080"]
# Leave empty [] to scan without proxy
PROXIES = [] # e.g. ["http://localhost:8080"] for Burp Suite
# ============ NETBEAR (Web Crawling) ============
# Configuration for the main web crawler using Playwright
NETBEAR_SCOPES_FILE = "scopes.txt" # File with allowed domains (one per line)
# Crawl depth: 1=homepage only, 2=1 level deep, 3=2 levels deep
# Higher = more pages found but slower. 2 is recommended balance.
NETBEAR_MAX_DEPTH = 2
# Maximum pages to crawl per domain (limits time and network load)
# Increase to 20-30 for thorough scanning, decrease to 5-10 for speed
NETBEAR_MAX_PAGES_PER_DOMAIN = 15
# Delay between requests in seconds (1.5s = reasonable speed + stealth)
# For maximum speed: 0.5s | For stealth: 3.0-5.0s
NETBEAR_RATE_LIMIT_SEC = 1.5
# ============ NUCLEI INTEGRATION ============
# Configuration for Nuclei vulnerability scanner integration
NUCLEI_ENABLED = True # Set False to skip Nuclei scanning after crawls
NUCLEI_SEVERITY = "high,critical" # Filter findings by severity
# Options: critical, high, medium, low, info
# Use "critical,high" for normal testing, "critical" for minimal noise
NUCLEI_TIMEOUT = 1800 # seconds per scan (1800 = 30 minutes)
# Adjust based on number of targets:
# - Few targets (< 20): 300-600 seconds
# - Medium (20-50): 600-1200 seconds
# - Large (> 50): 1200-3600 seconds
NUCLEI_RATE_LIMIT = 50 # Max requests/second to target
# Templates to run (all are "direct" versions that test URLs as-is, no path manipulation)
# Custom templates: Add your YAML files to this list
# Format: "./path/to/template.yaml"
NUCLEI_TEMPLATES = [
"./netbear-api-exposure-direct.yaml", # Detects exposed secrets/API keys
"./netbear-auth-bypass-direct.yaml", # Detects unauthenticated access to protected endpoints
"./netbear-idor-direct.yaml" # Detects broken object-level authorization
]
NUCLEI_RUN_AFTER_CRAWL = True # Auto-run Nuclei immediately after each domain crawl
# ============ NEXTCLOUD TESTING ============
# Target NextCloud instance
NEXTCLOUD_HOST = "https://nextcloud.example.com" # Update with actual instance
NEXTCLOUD_USERNAME = "" # Will be prompted interactively
NEXTCLOUD_PASSWORD = "" # Will be prompted interactively
NEXTCLOUD_VERIFY_SSL = True
# Test parameters
NEXTCLOUD_MAX_WORKERS = 5 # Concurrent requests
NEXTCLOUD_TIMEOUT = 30 # seconds
NEXTCLOUD_RATE_LIMIT_SEC = 0.5 # Between requests to same endpoint
# IDOR Testing
NEXTCLOUD_IDOR_SAMPLE_SIZE = 50 # How many IDs to test
NEXTCLOUD_IDOR_ID_RANGES = {
"file_id": (1, 1000),
"share_id": (1, 500),
"user_id": (1, 200)
}
# Upload Testing
NEXTCLOUD_UPLOAD_TIMEOUT = 10
NEXTCLOUD_MAX_UPLOAD_SIZE = 5 * 1024 * 1024 # 5 MB
NEXTCLOUD_DANGEROUS_EXTENSIONS = [
".php", ".phtml", ".php3", ".php4", ".php5", ".phtml",
".sh", ".bash", ".exe", ".jar", ".jsp"
]
# Public Link Testing
NEXTCLOUD_PUBLIC_LINK_TIMEOUT = 5
NEXTCLOUD_PUBLIC_LINK_MAX_ATTEMPTS = 1000
# Auth Testing
NEXTCLOUD_AUTH_TEST_USERS = ["admin", "test", "guest"]
# ============ REPORTING ============
REPORT_FORMATS = ["json", "txt", "html"] # Future: html reports
DEFAULT_REPORT_FORMAT = "json"