OpenAPI Configuration
The OpenAPI Specification (AKA Swagger) is an industry-adopted standard for describing RESTful interfaces, which HawkScan can use to deliver a faster, more thorough scan.
HawkScan will use the contents of a provided OpenAPI spec to improve the quality of the scan by:
Pre-seeding the sitemap using the routes defined in the OpenAPI spec. This can be used to complement any crawled routes or can be used instead of app spidering altogether.
Using defined inputs to routes in the spec to inform how to communicate with the web application and gather clues on how to better attack endpoints.
HawkScan can work with OpenAPI definitions as separate files or defined inline via the stackhawk.yml.
Getting Started
Create an application on the StackHawk Web platform.
Download the stackhawk.yml file from the New Application Wizard or manually create the file in your project directory.
Once you've completed these two steps, check out the Overview Video and code snippets below.
Overview
Configuration Examples
app: | app: |
Using a spec file | Using a relative URL |
Basic Scan
app:
applicationId: xxxx-XXXX-xxxx-XXXX-xxxxxxxx
env: Development
host: http://localhost:8000
autoPolicy: true
openApiConf:
path: /swagger
Authenticated Scan
Authentication comes in many shapes and sizes including web forms, JSON forms, and tokens. For additional information on configuring other types of authentication with StackHawk, please see our docs.
app:
....
authentication:
loggedInIndicator: HTTP/\d+\.\d+\s+(2[0-9][0-9]|3[0-9][0-9])
loggedOutIndicator: HTTP/\d+\.\d+\s+(4[0-9][0-9])
usernamePassword:
type: JSON
loginPath: /login/
usernameField: username
passwordField: password
scanUsername: admin
scanPassword: adminpassword
tokenExtraction:
type: TOKEN_PATH
value: "access"
tokenAuthorization:
type: HEADER
value: Authorization
tokenType: Bearer
testPath:
path: /kaakaww/
success: ".*200.*"