more and seperate words for curl and newman custom spider specs

untra · untra · commit ddefd7cb3e15 · 2022-09-15T18:55:19.000-06:00
diff --git a/README.md b/README.md
@@ -147,7 +147,8 @@ docker run --tty --rm --network host --volume $(pwd):/hawk \
 By default HawkScan will run with the `stackhawk.yml` file if it's defined and present, but can instead use named specs such as `hawk scan stackhawk.yml`
 
 `stackhawk-openapi.yml` - scan with OpenAPI configuration
-`stackhawk-custom-spider.yml` scan with Custom Discovery using newman
+`stackhawk-custom-spider-curl.yml` scan with custom discovery using curl
+`stackhawk-custom-spider-newman.yml` scan with custom discovery using newman
 `stackhawk-auth-script-form-multi.yml` scripted authentication 
 `stackhawk-jsv-form-cookie.yml` scan with form authentication and cookie authorization
 `stackhawk-jsv-json-token` scan with JSON authentication and token authorization
diff --git a/stackhawk-custom-spider-curl.yml b/stackhawk-custom-spider-curl.yml
@@ -0,0 +1,32 @@
+app:
+  applicationId: ${APP_ID:dacc7d3e-babc-47d2-b040-ab117ab04526}
+  env: ${APP_ENV:dev}
+  host: ${APP_HOST:https://localhost:9000}
+  excludePaths:
+    - "/logout"
+#    - "/login-form-multi"
+#    - "/login-code"
+  antiCsrfParam: "_csrf"
+  authentication:
+    loggedInIndicator: "\\QSign Out\\E"
+    loggedOutIndicator: ".*Location:.*/login.*"
+    usernamePassword:
+      type: FORM
+      loginPath: /login
+      loginPagePath: /login
+      usernameField: username
+      passwordField: password
+      scanUsername: "user"
+      scanPassword: "password"
+    cookieAuthorization:
+      cookieNames:
+        - "JSESSIONID"
+    testPath:
+      path: /search
+      success: "HTTP.*200.*"
+hawk:
+  spider:
+    base: false
+    custom:
+      command: curl -x $HTTP_PROXY -k ${APP_HOST:https://localhost:9000}/login?nuance=true
+
diff --git a/stackhawk-custom-spider-newman.yml b/stackhawk-custom-spider-newman.yml
@@ -29,9 +29,6 @@ hawk:
     maxDurationMinutes: 5
     base: false
     custom:
-      command: curl -x $HTTP_PROXY 
       command: newman run javaspringvulny_postman_collection.json --verbose --global-var baseUrl=${APP_HOST:https://localhost:9000} --insecure
       logOutputToForeground: true
-      credentials:
-        SHOULD_BE_REDACTED: 'my-secret-password'
 
