Expert Usage: Advanced Configuration and Control¶
Escape's core philosophy revolves around being intuitive and accessible right out of the box. But, for those power users who crave granular control and fine-tuning, welcome to the "Expert Mode."
The escaperc
Configuration File 📦¶
Features at a Glance 🔍¶
- Access Control Testing: Ensure only the right users access the right resources.
- Tenant Isolation: Validate segregation between different users and groups.
- Private Data Protection: Keep sensitive information under wraps.
- Custom Payload Injection: Tailor-make your payloads for specialized testing.
- Custom Authentication: Generate specific tokens and harness various authentication mechanisms tailored to your needs.
- Blacklist & Hotstart Queries: Have full control over which queries get tested.
- Coverage Improvement: Make sure no endpoint is left untested.
- Request Frequency & Rate Limiting: Adjust how Escape interacts with your systems, ensuring optimal performance and thorough scanning.
🌟 Community Contributions\ Our vibrant community is always excited to share their perfected escaperc
configurations, pooling collective expertise for everyone's benefit. Feel free to dive in, learn from others, and share your own expert configurations!
If mastering every nook and cranny of your security strategy is your game, the "Expert Mode" is your playground. Dive in and harness the unparalleled depth Escape offers!
Example¶
Here is an example using the expert tab
scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: deep
read_only: true
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
entropy: 2
client:
concurrent_connection: 64
concurrent_tasks: 8
proxy:
type: repeater
target: ESCAPE_REPEATER_ID=e8be7999-6b9c-49ba-9c44-8c0a2c07c100
request_timeout: 5
requests_per_minute: 100
authentication:
presets:
- type: digest
first_request:
url: https://api.example.com/request
method: GET
cookies:
session_id: '123456'
headers:
Accept: application/json
query_parameters:
query: info
second_request:
url: https://api.example.com/authenticate
method: POST
users:
- username: alice
password: aliceSecret
- username: bob
password: bobSecret
checks:
alert:
name: Deletion successful
context: >
For compliance reasons, the non-admin user must not be able to delete some
data via the API.
severity: HIGH
detect:
- if: helpers.request.crud
is: DELETE
- if: request.user
is_not: admin
- if: helpers.response.is_successful
is: true
Best Practices¶
- Start with default configurations
- Gradually introduce custom settings
- Test and validate each configuration change
- Monitor scan results and performance
- Leverage Escape's flexible configuration options
Customization Flexibility
The escaperc
file provides extensive customization without compromising the core scanning capabilities.
Index¶
- Rate Limiting
- Blocklist & Hotstart
- API Custom Payloads
- API Access Control
- Scan Internal Applications
- API DAST Reference
- Data Types Reference
- SPA DAST Parameters
- GraphQL Persisted Queries
- Retrieve a GraphQL Schema