Skip to main content

Target Configuration

Proper target configuration ensures AIPTx can thoroughly test your application while respecting boundaries.

Basic Target Specification

Single URL

aiptx scan https://example.com

Multiple URLs

aiptx scan https://app.example.com https://api.example.com

With Configuration File

aiptx scan --config ./aiptx.yaml

Configuration File

Create an aiptx.yaml file for complex configurations: 
# aiptx.yaml
target:
  urls:
    - https://app.example.com
    - https://api.example.com

scan:
  mode: standard
  type: full

authentication:
  type: bearer
  token: ${AIPTX_AUTH_TOKEN}  # Environment variable

scope:
  include:
    - /api/*
    - /app/*
  exclude:
    - /api/health
    - /api/metrics
    - /admin/*

headers:
  X-Custom-Header: "value"
  X-Request-ID: "aiptx-scan"

rate_limit:
  requests_per_second: 10
  concurrent_requests: 5

Scope Configuration

Include Patterns

Specify which paths to test: 
scope:
  include:
    - /api/v1/*
    - /api/v2/*
    - /users/*
    - /orders/*

Exclude Patterns

Exclude sensitive or irrelevant paths: 
scope:
  exclude:
    - /health
    - /metrics
    - /admin/*
    - /internal/*
    - *.pdf
    - *.css
    - *.js

Domain Restrictions

scope:
  domains:
    - example.com
    - api.example.com
  exclude_domains:
    - analytics.example.com
    - cdn.example.com

Authentication Configuration

Bearer Token

authentication:
  type: bearer
  token: "eyJhbGciOiJIUzI1NiIs..."

Basic Auth

authentication:
  type: basic
  username: "testuser"
  password: "${AIPTX_PASSWORD}"

authentication:
  type: cookie
  cookies:
    session_id: "abc123"
    csrf_token: "xyz789"

Custom Headers

authentication:
  type: custom
  headers:
    Authorization: "Bearer ${TOKEN}"
    X-API-Key: "${API_KEY}"

Login Flow

For applications requiring login: 
authentication:
  type: login
  login_url: "https://example.com/login"
  credentials:
    username_field: "email"
    username: "[email protected]"
    password_field: "password"
    password: "${AIPTX_PASSWORD}"
  success_indicator: "Dashboard"

API Configuration

OpenAPI/Swagger

api:
  spec: ./openapi.yaml
  # or remote URL
  spec: https://api.example.com/openapi.json

GraphQL

api:
  type: graphql
  endpoint: https://api.example.com/graphql
  introspection: true

Custom Endpoints

api:
  endpoints:
    - method: POST
      path: /api/users
      body:
        name: "{{fuzz}}"
        email: "{{fuzz}}@example.com"

    - method: GET
      path: /api/users/{{user_id}}
      params:
        user_id: ["1", "2", "admin"]

Rate Limiting

Protect your infrastructure from overload: 
rate_limit:
  requests_per_second: 10
  concurrent_requests: 5
  delay_between_requests: 100  # milliseconds

  # Respect server rate limits
  respect_retry_after: true

  # Back off on errors
  backoff:
    enabled: true
    initial_delay: 1000
    max_delay: 30000
    multiplier: 2

Environment-Specific Configs

Development

# aiptx.dev.yaml
target:
  urls:
    - https://dev.example.com

scan:
  mode: quick

rate_limit:
  requests_per_second: 50

Staging

# aiptx.staging.yaml
target:
  urls:
    - https://staging.example.com

scan:
  mode: standard

Production

# aiptx.prod.yaml
target:
  urls:
    - https://example.com

scan:
  mode: standard

rate_limit:
  requests_per_second: 5

schedule:
  time: "02:00"
  timezone: "UTC"

Using Environment Variables

Secure sensitive values with environment variables: 
authentication:
  token: ${AIPTX_AUTH_TOKEN}

api:
  key: ${API_KEY}

export AIPTX_AUTH_TOKEN="your_token"
export API_KEY="your_api_key"
aiptx scan --config ./aiptx.yaml

Validation

Validate your configuration before scanning: 
aiptx config validate ./aiptx.yaml
Output: 
Configuration validation results:
  Target URLs: 2 valid
  Authentication: Configured (bearer)
  Scope: 4 include patterns, 3 exclude patterns
  Rate Limit: 10 req/s, 5 concurrent

Configuration is valid.