Skip to main content

api_scanner/
config.rs

1// src/config.rs
2//
3// Unified configuration types consumed by every module in the scanner.
4
5/// Top-level configuration produced by CLI arg parsing in `main.rs`.
6#[derive(Debug, Clone)]
7pub struct Config {
8    /// Maximum number of URLs to scan.  `usize::MAX` means unlimited.
9    pub max_endpoints: usize,
10
11    /// Number of URLs scanned concurrently (semaphore width).
12    pub concurrency: usize,
13
14    /// Per-scanner enable / disable switches.
15    pub toggles: ScannerToggles,
16
17    /// Rate-limiting / retry knobs.
18    pub politeness: PolitenessConfig,
19
20    /// WAF-evasion settings.
21    pub waf_evasion: WafEvasionConfig,
22
23    /// Default headers applied to every request.
24    pub default_headers: Vec<(String, String)>,
25
26    /// Cookies applied to every request.
27    pub cookies: Vec<(String, String)>,
28
29    /// Optional HTTP/HTTPS proxy URL.
30    pub proxy: Option<String>,
31
32    /// Accept invalid TLS certificates (dangerous).
33    pub danger_accept_invalid_certs: bool,
34
35    /// Enable active (potentially invasive) checks.
36    pub active_checks: bool,
37
38    /// Do not send active-check mutation requests; emit informational "would test" findings.
39    pub dry_run: bool,
40
41    /// Enable streaming NDJSON findings (reports while scan is running).
42    pub stream_findings: bool,
43
44    /// Optional baseline NDJSON file for diffing (suppress known findings).
45    pub baseline_path: Option<std::path::PathBuf>,
46
47    /// Optional session cookie file (JSON) to load/save.
48    pub session_file: Option<std::path::PathBuf>,
49
50    /// Optional auth helpers.
51    pub auth_bearer: Option<String>,
52    pub auth_basic: Option<String>,
53
54    /// Optional auth flow descriptor (loaded from --auth-flow file).
55    pub auth_flow: Option<std::path::PathBuf>,
56
57    /// Second credential set for cross-user IDOR checks (--auth-flow-b).
58    pub auth_flow_b: Option<std::path::PathBuf>,
59
60    /// Additional auth-like headers to strip for unauthenticated probes.
61    pub unauth_strip_headers: Vec<String>,
62
63    /// Enable per-host HTTP client pools.
64    pub per_host_clients: bool,
65
66    /// Enable adaptive concurrency.
67    pub adaptive_concurrency: bool,
68
69    /// Skip endpoint discovery and scan only provided seed URLs.
70    pub no_discovery: bool,
71
72    /// Suppress verbose progress output.
73    pub quiet: bool,
74}
75
76/// Individual scanner toggle flags.
77#[derive(Debug, Clone)]
78pub struct ScannerToggles {
79    pub cors: bool,
80    pub csp: bool,
81    pub graphql: bool,
82    pub api_security: bool,
83    pub jwt: bool,
84    pub openapi: bool,
85    pub mass_assignment: bool,
86    pub oauth_oidc: bool,
87    pub rate_limit: bool,
88    pub cve_templates: bool,
89    pub websocket: bool,
90}
91
92/// Network politeness knobs.
93#[derive(Debug, Clone)]
94#[allow(dead_code)]
95pub struct PolitenessConfig {
96    /// Minimum delay between requests per host (ms).
97    pub delay_ms: u64,
98    /// Maximum retry attempts on transient errors.
99    pub retries: u32,
100    /// Per-request timeout (seconds).
101    pub timeout_secs: u64,
102}
103
104/// WAF evasion configuration.
105#[derive(Debug, Clone)]
106#[allow(dead_code)]
107pub struct WafEvasionConfig {
108    /// Master switch for WAF evasion heuristics.
109    pub enabled: bool,
110    /// User-Agent rotation pool.
111    pub user_agents: Vec<String>,
112}