This API page refers to the new website scanner engine developed in-house by our team. For more information about tests, please check out our dedicated support article.

Parameters

Name Type Description Value tool_id Integer The id of this tool 170 target String The URL that will be scanned scan_type String The type of scan that you want to be performed - ptt_engine (current engine)

- light options[attack][active] Array[String] A list of active test names to run against.

By default this has every test enabled. - all - Enables all the tests in the category

- xss - XSS tests

- sqli - SQL Injection

- lfi - Local File Inclusion

- oscmdi - OS Command Injection options[attack][passive] Array[String] A list of passive test names to run against.

By default this has every test enabled. - all - Enables all the tests in the category

- security_headers - Security Headers

- cookie_security - Cookie Security

- directory_listing - Directory Listing

- secure_communication - Secure Communication

- weak_password_submission - Weak Password Submission Method

- error_debug_messages - Commented code/Error codes

- password_cleartext - Clear Text Submission of Credentials

- cross_domain_source - Verify Domain Sources

- mixed_content - Mixed Encryptions Content

- sensitive_data - Sensitive Data Crawl

- login_interfaces - Find Login Interfaces options[discovery] Array[String] A list of discovery test names to run against.

By default this has every test enabled. - all - Enables all the tests in the category

- fingerprint - Fingerprint Website

- software_vulnerabilities - Server Software Vulnerabilities

- check_robots - Check for Robots.txt

- outdated_js - JavaScript libraries

- untrusted_certificates - SSL/TLS Certificates

- client_access_policies - Client access policies

- http_debug_methods - HTTP Debug Methods Enabled

- resource_discovery - Resource Discovery options[spider][exclude_urls] Array[String] A list of urls test names to run against.

By default this is an empty list representing no paths should be excluded. options[spider][approach] String The crawling style to apply for the spidering process. - classic - (default)

- spa - (currently unavailable, in beta tests) options[spider][limits][depth] Integer The maximum depth measured by number of / that the scanner crawls and scans. This is 10 by default. options[requests_per_second] Integer The maximum number of requests the scanner can make in a second. This is 10000 by default. Accepted values are from 1 to 10000.

Start scan examples

This first example shows a very basic implementation. The request starts the scan with every test turned on, and the default values for the other settings.

{ "op" : "start_scan" , "tool_id" : 170 , "target" : "http://demo.pentest-tools.com/webapp/" , "tool_params" : { "scan_type" : "ptt_engine" } }

In the second example the structure for an advanced implementation is shown. Pay attention to how the string arrays are expected in the json.