-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.yaml
More file actions
201 lines (154 loc) · 4.06 KB
/
config.example.yaml
File metadata and controls
201 lines (154 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# OFXpwn Configuration File
# Copy this file and customize for your target
# Target OFX Server Configuration
target:
# OFX server URL (required)
url: "https://ofx.example.com/OFXServer/ofxsrvr.dll"
# Financial Institution Organization name (optional but recommended)
# Find in Intuit FI directory: https://ofx-prod-filist.intuit.com/qw2800/data/fidir.txt
org: "EXAMPLEBANK"
# Financial Institution ID (optional but recommended)
# Find in Intuit FI directory: https://ofx-prod-filist.intuit.com/qw2800/data/fidir.txt
fid: "12345"
# Additional institution identifiers (rarely needed)
broker_id: ""
institution_id: ""
# HTTP Proxy Configuration (for Burp Suite, etc.)
proxy:
# Enable/disable proxy
enabled: false
# Proxy URL
url: "http://127.0.0.1:8080"
# SSL verification (set false for self-signed certs in proxy)
verify_ssl: false
# Credentials for authenticated testing
credentials:
# Credentials file path (format: username:password)
file: "creds.txt"
# Or specify directly (will override file)
username: ""
password: ""
clientuid: "" # Optional UUID for Quicken-like apps
# Output Configuration
output:
# Base output directory
directory: "./output"
# Save HTTP requests
save_requests: true
# Save HTTP responses
save_responses: true
# Save only unique responses (by hash)
save_unique_only: true
# Subdirectories
logs_dir: "./output/logs"
reports_dir: "./output/reports"
evidence_dir: "./output/evidence"
# Logging Configuration
logging:
# Log level: DEBUG, INFO, WARN, ERROR
level: "INFO"
# Console output
console: true
console_color: true
# Testing Configuration
testing:
# Maximum concurrent threads
max_threads: 50
# Request timeout (seconds)
timeout: 30
# Rate limiting (requests per second, 0 = unlimited)
rate_limit: 0
# Max retries on failure
max_retries: 2
retry_delay: 1
# OFX Protocol Configuration
ofx:
# Formats to test
formats:
- "sgml" # OFX 1.x
- "xml" # OFX 2.x
# SGML versions to test
sgml_versions:
- "102"
- "103"
- "151"
- "160"
# XML versions to test
xml_versions:
- "200"
- "202"
- "211"
- "220"
# APPID/APPVER combinations to test
app_combinations:
- appid: "QWIN"
appver: "2700"
- appid: "QWIN"
appver: "2900"
- appid: "Money"
appver: "1700"
- appid: "OFX"
appver: "0100"
# Module-Specific Configuration
# Authentication Testing
auth:
# Default credentials file
default_creds_file: "ofxpwn/payloads/default_creds.txt"
# Username wordlist
usernames_file: "ofxpwn/payloads/usernames.txt"
# Password wordlist
passwords_file: "ofxpwn/payloads/passwords.txt"
# Test username enumeration
test_enumeration: true
# Enumeration timing threshold (seconds)
enum_timing_threshold: 0.5
# Test account lockout
test_lockout: false
lockout_attempts: 5
# Exploitation Testing
exploit:
# XXE testing
xxe_enabled: true
xxe_payloads_file: "ofxpwn/payloads/xxe_payloads.txt"
# SQL injection
sqli_enabled: true
sqli_payloads_file: "ofxpwn/payloads/sqli_payloads.txt"
# XSS testing
xss_enabled: true
xss_payloads_file: "ofxpwn/payloads/xss_payloads.txt"
# LDAP injection
ldap_enabled: true
# Fuzzing Configuration
fuzz:
# Protocol fuzzing
protocol_enabled: true
# Field overflow testing
field_overflow_enabled: true
max_field_size: 100000 # bytes
# Encoding attacks
encoding_enabled: true
# Parameter Fuzzing (auth/param_fuzzer module)
fuzzing:
# Maximum requests to send during parameter fuzzing
max_requests: 1000
# Maximum concurrent threads for fuzzing
max_threads: 20
# Reconnaissance
recon:
# Test unauthenticated profile request
test_unauth_profrq: true
# Fingerprint server
fingerprint_enabled: true
# Version enumeration
version_enum_enabled: true
# Infrastructure Testing
infra:
# SSL/TLS testing
ssl_enabled: true
# HTTP headers analysis
headers_enabled: true
# Directory enumeration
dir_enum_enabled: true
dir_wordlist: "ofxpwn/payloads/directories.txt"
# HTTP methods testing
methods_enabled: true