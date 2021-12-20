Home Pentest-Tools.com Logo

Website Scan

This API page refers to the new website scanner engine developed in-house by our team. For more information about tests, please check out our dedicated support article.

Parameters

NameTypeDescriptionValue
tool_idIntegerThe id of this tool170
targetStringThe URL that will be scanned
scan_typeStringThe type of scan that you want to be performed- ptt_engine (current engine)
- light
options[attack][active]Array[String]A list of active test names to run against.
By default this has every test enabled.		- all - Enables all the tests in the category
- xss - XSS tests
- sqli - SQL Injection
- lfi - Local File Inclusion
- oscmdi - OS Command Injection
options[attack][passive]Array[String]A list of passive test names to run against.
By default this has every test enabled.		- all - Enables all the tests in the category
- security_headers - Security Headers
- cookie_security - Cookie Security
- directory_listing - Directory Listing
- secure_communication - Secure Communication
- weak_password_submission - Weak Password Submission Method
- error_debug_messages - Commented code/Error codes
- password_cleartext - Clear Text Submission of Credentials
- cross_domain_source - Verify Domain Sources
- mixed_content - Mixed Encryptions Content
- sensitive_data - Sensitive Data Crawl
- login_interfaces - Find Login Interfaces
options[discovery]Array[String]A list of discovery test names to run against.
By default this has every test enabled.		- all - Enables all the tests in the category
- fingerprint - Fingerprint Website
- software_vulnerabilities - Server Software Vulnerabilities
- check_robots - Check for Robots.txt
- outdated_js - JavaScript libraries
- untrusted_certificates - SSL/TLS Certificates
- client_access_policies - Client access policies
- http_debug_methods - HTTP Debug Methods Enabled
- resource_discovery - Resource Discovery
options[spider][exclude_urls]Array[String]A list of urls test names to run against.
By default this is an empty list representing no paths should be excluded.
options[spider][approach]StringThe crawling style to apply for the spidering process.- classic - (default)
- spa - (currently unavailable, in beta tests)
options[spider][limits][depth]IntegerThe maximum depth measured by number of / that the scanner crawls and scans.This is 10 by default.
options[requests_per_second]IntegerThe maximum number of requests the scanner can make in a second.This is 10000 by default. Accepted values are from 1 to 10000.

Start scan examples

This first example shows a very basic implementation. The request starts the scan with every test turned on, and the default values for the other settings.

{
  "op": "start_scan",
  "tool_id": 170,
  "target": "http://demo.pentest-tools.com/webapp/",
  "tool_params": {
    "scan_type": "ptt_engine"
  }
}

In the second example the structure for an advanced implementation is shown. Pay attention to how the string arrays are expected in the json.

{
  "op": "start_scan",
  "tool_id": 170,
  "target": "http://demo.pentest-tools.com/webapp/",
  "tool_params": {
    "scan_type": "ptt_engine",
    "options": {
      "spider": {
        "approach": "classic",
        "limits": {
          "depth": 10
        },
        "exclude_urls": "http://demo.pentest-tools.com/webapp/logout"
      },
      "attack": {
        "active": ["sqli", "xss"],
        "passive": []
      },
      "discovery": ["all"],
      "requests_per_second": 6000
    }
  }
}