Vulnerability Scanner
Initializing a Scan
The Scan Request endpoint is the method responsible for initializing the scan of a target. Upon request, it returns a unique analysis identifier that should be used later to verify the progress of the process, as well as information about the target host and the vulnerabilities found.
Scan jobs can be configured by passing an optional "preferences" object. To view the full list of options please visit:
Request
To request the endpoint, you must enter the required credentials, as shown in the following example:
Example cURL request - Initiating a scan with XSS and SQL tasks enabled
curl --location --request POST 'https://api.vscanner.ai/v1/api/scan' \
--header 'Authorization: Bearer <API_KEY>' \
--header 'Content-Type: application/json' \
--data-raw '{
"url": "example.com",
"preferences": {
"scan_type" : "lite",
"cms_brute_force": 0,
"scan_speed": "fast",
"web_brute_force": 0,
"xss": true ,
"sql": true ,
"scan_deep" : 3
}
}'Example cURL request - Initiating a scan with all crawler options enabled, SQL and XSS
curl --location --request POST 'https://api.vscanner.ai/v1/api/scan' \
--header 'Authorization: Bearer <API_KEY>' \
--header 'Content-Type: application/json' \
--data-raw '{
"url": "example.com",
"preferences": {
"scan_type" : "lite",
"scan_speed": "fast",
"xss": true ,
"sql": true ,
"scan_deep" : 3,
"crawler_options": {
"exposed_emails": true ,
"open_redirect": true ,
"exposed_apikeys": true ,
"open_directory": true ,
"exposed_information": true ,
"backdoor_detection": true ,
"search_url_malware": true
}
}
}'Example Python request - starting a Full scan
import requests
import json
api_key = <API_KEY>
url = "https://api.vscanner.ai/v1/api/scan"
payload = json.dumps({
"url": "example.com",
# The "preferences" is an optional object used to configure the scanner.
# More information regarding each parameter can be found at:
# https://docs.vscanner.ai/api-docs/vscanner-api-docs/vulnerability-scanner/scanner-preferences
"preferences": {
"scan_type": "full",
"cms_brute_force": 0,
"scan_speed": "fast",
"web_brute_force": 0,
"scan_deep": 3
}
})
headers = {
'Authorization': f'Bearer {api_key}',
'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.json())
*Filling in the API_KEY value is mandatory.
Return
The request response, in JSON format, contains the identification of the analysis for monitoring and obtaining the result.
Successful response
{"enqueued_scan_id": "<SCANJOB_ID>"}Getting Results for a Scan
The Fetch Scan by ID endpoint is the method responsible for returning the status, found vulnerabilities, and the percentage of completion of a certain scan. If the scan is in progress, you can still check the partial results.
You can also pass an optional language query parameter to determine the language of the returned response. Note: only vulnerability descriptions and remediations are translated. Currently VScanner supports the following languages:
Scans not initiated
Scans might take some time to get picked up by our workers. On cases where a scan was received and is in the queue to be processed fetching the scan will return the following JSON:
{
"detail" : "Scan not initiated yet"
}Receiving this message does not indicate an error and the scan will be executed.
Request
To request the endpoint, you must enter the required credentials, as shown in the following example:
API Key Fetch Scan
GET https://api.vscanner.ai/v1/api/scan/<ENQUEUED_SCAN_ID>?language=en
Fetches the result of a given scan id.
Query Parameters
Example cURL request
curl --location 'https://api.vscanner.ai/v1/api/scan/<ENQUEUED_SCAN_ID>' \
--header 'Authorization: Bearer <API_KEY>' \
--header 'language: "en"' \
--header 'issue_types: "true"'Example Python request
import requests
api_key = <API_KEY>
enqueue_scan_id = <ENQUEUED_SCAN_ID>
url = f"https://api.vscanner.ai/v1/api/scan/{enqueue_scan_id}"
payload={}
headers = {
'Authorization': f"Bearer {api_key}",
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.json())*Filling in the API_KEY value is mandatory.
Return
The request response, in JSON format, contains the results and the status of the scan.
Successful response
For this example response, the URL: https://example.com was used.
JSON Response (Click to expand)
{
"issuesSummaryTotal": 4,
"issuesCategoriesSummary": {
"Improper Access Control": 3,
"Improper Control of a Resource Through its Lifetime": 1
},
"issues": [
{
"group": "Improper Access Control",
"name": "The X-Frame-Options header is missing",
"severity": "warning",
"cve": [],
"cwe": [
657
],
"cvss": {
"score": 3.5,
"detail": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
},
"remediation": "The X-Frame-Options is an HTTP response header that aids in preventing clickjacking attacks by regulating how a website is rendered on another site's frame, iframe, or object. It has three potential values: 'SAMEORIGIN' (allows rendering on the same domain only), 'DENY' (blocks rendering on any origin), and 'ALLOW-FROM uri' (permits rendering only on a specified origin). To apply X-Frame-Options, add it to the HTTP response on your web server. The implementation varies with the web server software. For example, in Apache, add \"Header set X-Frame-Options 'SAMEORIGIN'\" to the .htaccess file. The 'SAMEORIGIN' value is advised for most websites, allowing intra-domain framing but blocking inter-domain ones.",
"references": "https://cwe.mitre.org/data/definitions/657.html",
"description": "The lack of the X-Frame-Options header in the response from the Web application server, makes it possible to hijack on the user's click, where through a malicious indexing of a page on an attacker's website, it could allow the hiding of this domain through an overlay, causing involuntary actions performed by a victim in the background.\nThis type of exploit could make other security vulnerabilities even more serious, such as turning a self-XSS into a reflected one. Self-XSS occurs when a certain user input field is not properly filtered, this type of exploitation that, in theory, would only happen on the attacker's computer and would have to require a lot of interaction from the victim to happen, in addition to just clicking or visiting the page as in other cases, however, the user click hijacking ends up hiding from the victim's eyes what he actually ends up doing, this exploration can end up triggering what would simply be a self-XSS without any security impact, for a conventional one, such as the reflected one.",
"raw": {}
},
{
"group": "Improper Access Control",
"name": "X-XSS-Protection header is missing",
"severity": "critical",
"cve": [],
"cwe": [
79
],
"cvss": {
"score": 6.5,
"detail": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"remediation": "The X-XSS-Protection header in the web server response and a Web Application Firewall are recommended to prevent security vulnerabilities like XSS attacks. Adding the X-XSS-Protection header to all web pages can be done through server configuration or direct HTML code insertion. A typical setting, \"X-XSS-Protection: 1; mode=block\", activates browser's XSS protection and blocks any identified XSS attack.",
"references": "https://cwe.mitre.org/data/definitions/79.html",
"description": "The X-XSS-Protection header is missing, which could make it easier to Cross-site scripting (XSS) exploration, as on the reviewed site, does not have any filter that could prevent exploitation of this security hole. XSS vulnerability happens due to a parameter that is not well filtered and ends up reflecting entirely everything that is typed by the user via the URL, including HTML tags and JavaScript codes.\nIf successfully exploited this vulnerability could allow that an attacker could craft a fake page within the sitetrue what would bring about a legitimacy in the coup. Furthermore, as this is a flaw in the site, mechanisms for third party protection would be ineffective.\nIf the user's session is shared with other subdomains and the victim is logged in the moment they click the malicious link, an attacker who injected malicious code could capture the victim's session without having to collect passwords and would have the same access privileges as that user. This situation becomes even more serious if a certain session captured for some administrative access, which could cause the elevation of an attacker's privileges or the exploitation of otherssecurity flaws.",
"raw": {}
},
{
"group": "Improper Access Control",
"name": "X-Content-Type-Options header is missing",
"severity": "warning",
"cve": [],
"cwe": [
693
],
"cvss": {
"score": 5.4,
"detail": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"remediation": "Implement the X-Content-Type-Options header in the server response.",
"references": "https://cwe.mitre.org/data/definitions/693.html",
"description": "Failure to use X-Content-Type-Options header could allow an attacker to spoof a certain type of file that would be analyzed through MIME type detection, which could confuse the browser from its actual validation, where it would lead to the execution of othervulnerabilities such as Cross-site scripting. When a file does not have enough information to determine its origin, such as the presence of metadata, browsers determine the extension of that file, from its contents.\nThis type of behavior can become a security risk,if the browser misinterprets a given file in some form of uploading files, for example, a JPEG file could have been misinterpreted, if the content of your file existed HTML tags and Javascript codes, instead of the browser treating this extension as a corrupted image, would execute the codes typed by the user or in a malicious wayby falsifying a victim's request, after clicking a fake link or visiting a website controlled by an attacker.",
"raw": {}
},
{
"group": "Improper Control of a Resource Through its Lifetime",
"name": "The domain https://example.com may be vulnerable to email spoofing.",
"severity": "medium",
"cve": [],
"cwe": [
290
],
"cvss": {
"score": 5.3,
"detail": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"remediation": "Set up DMARC, DKIM, and SPF for email security. DMARC requires creating a record in your domain's DNS, detailing report address and message failure policy. DKIM involves generating a public/private key pair, publishing the public key in DNS as a TXT record, and configuring your email server to sign messages with the private key. SPF requires creating a DNS record that lists authorized email servers for your domain. Setup can vary with different email server software and hosting providers; check your specific setup's documentation.",
"references": "https://cwe.mitre.org/data/definitions/290.html",
"description": "Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Assistant: ['https://example.com has no SPF record!', 'No DMARC record found. Looking for organizational record', 'No organizational DMARC record']",
"raw": {}
}
],
"identificator": "c8697aea-27dd-11ee-8393-86cc806e9f71",
"issuesSummary": {
"critical": 1,
"high": 0,
"medium": 1,
"low": 0,
"warning": 2
},
"totalChecked": 23498,
"information": {
"services": [
{
"state": "open",
"reason": "syn-ack",
"name": "http",
"product": "Edgecast CDN httpd",
"version": "",
"port": 80
},
{
"state": "open",
"reason": "syn-ack",
"name": "http",
"product": "Edgecast CDN httpd",
"version": "",
"port": 443
},
{
"state": "closed",
"reason": "reset",
"name": "bnetgame",
"product": "",
"version": "",
"port": ""
},
{
"state": "closed",
"reason": "reset",
"name": "rtmp",
"product": "",
"version": "",
"port": ""
}
],
"emails": [],
"components": {
"Amazon Web Services": null,
"Azure CDN": null,
"Amazon ECS": null,
"Docker": null
},
"database": {},
"web_server": {},
"os": {},
"cdn": "Azure CDN",
"cms": null,
"certificate": [
{
"Issue On": {
"$date": 1673593200
},
"Expires On": {
"$date": 1707893999
},
"commonName": "DigiCert TLS RSA SHA256 2020 CA1",
"subject": "www.example.org",
"sha1": "F2:AA:D7:3D:32:68:3B:71:6D:2A:7D:61:B5:1C:6D:57:64:AB:38:99",
"sha256": "5E:F2:F2:14:26:0A:B8:F5:8E:55:EE:A4:2E:4A:C0:4B:0F:17:18:07:D8:D1:18:5F:DD:D6:74:70:E9:AB:60:96",
"serial_number": "0c:1f:cb:18:45:18:c7:e3:86:67:41:23:6d:6b:73:f1",
"subjectAltName": [
"www.example.org",
"example.net",
"example.edu",
"example.com",
"example.org",
"www.example.com",
"www.example.edu",
"www.example.net"
]
},
{
"Issue On": {
"$date": 1618380000
},
"Expires On": {
"$date": 1933912799
},
"commonName": "DigiCert Global Root CA",
"subject": "DigiCert TLS RSA SHA256 2020 CA1",
"sha1": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD",
"sha256": "52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14",
"serial_number": "06:d8:d9:04:d5:58:43:46:f6:8a:2f:a7:54:22:7e:c4"
}
],
"waf": [
"Edgecast (Verizon Digital Media)"
],
"ips": [
"93.184.216.34"
],
"isp": "Verizon Business",
"total_checked": 23498
},
"preferences": {
"services_brute_force": 0,
"web_brute_force": 0,
"scan_type": "full",
"leak_data_usage": 0,
"scan_deep": 3,
"cms_brute_force": 0,
"search_in_web_cache": false,
"scan_speed": "fast"
},
"percentage": "97.92",
"startDate": "2023-07-21T15:46:39.867590Z",
"endDate": null
}
JSON Response with `issue_types=true` (Click to expand)
{
"issuesSummaryTotal": 4,
"issuesCategoriesSummary": {
"Improper Access Control": 3,
"Improper Control of a Resource Through its Lifetime": 1
},
"issues": {
"headers": {
"issues": [
{
"group": "Improper Access Control",
"name": "The X-Frame-Options header is missing",
"severity": "warning",
"cve": [],
"cwe": [
657
],
"cvss": {
"score": 3.5,
"detail": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
},
"remediation": "The X-Frame-Options is an HTTP response header that aids in preventing clickjacking attacks by regulating how a website is rendered on another site's frame, iframe, or object. It has three potential values: 'SAMEORIGIN' (allows rendering on the same domain only), 'DENY' (blocks rendering on any origin), and 'ALLOW-FROM uri' (permits rendering only on a specified origin). To apply X-Frame-Options, add it to the HTTP response on your web server. The implementation varies with the web server software. For example, in Apache, add \"Header set X-Frame-Options 'SAMEORIGIN'\" to the .htaccess file. The 'SAMEORIGIN' value is advised for most websites, allowing intra-domain framing but blocking inter-domain ones.",
"references": "https://cwe.mitre.org/data/definitions/657.html",
"description": "The lack of the X-Frame-Options header in the response from the Web application server, makes it possible to hijack on the user's click, where through a malicious indexing of a page on an attacker's website, it could allow the hiding of this domain through an overlay, causing involuntary actions performed by a victim in the background.\nThis type of exploit could make other security vulnerabilities even more serious, such as turning a self-XSS into a reflected one. Self-XSS occurs when a certain user input field is not properly filtered, this type of exploitation that, in theory, would only happen on the attacker's computer and would have to require a lot of interaction from the victim to happen, in addition to just clicking or visiting the page as in other cases, however, the user click hijacking ends up hiding from the victim's eyes what he actually ends up doing, this exploration can end up triggering what would simply be a self-XSS without any security impact, for a conventional one, such as the reflected one.",
"raw": {}
},
{
"group": "Improper Access Control",
"name": "X-XSS-Protection header is missing",
"severity": "critical",
"cve": [],
"cwe": [
79
],
"cvss": {
"score": 6.5,
"detail": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"remediation": "The X-XSS-Protection header in the web server response and a Web Application Firewall are recommended to prevent security vulnerabilities like XSS attacks. Adding the X-XSS-Protection header to all web pages can be done through server configuration or direct HTML code insertion. A typical setting, \"X-XSS-Protection: 1; mode=block\", activates browser's XSS protection and blocks any identified XSS attack.",
"references": "https://cwe.mitre.org/data/definitions/79.html",
"description": "The X-XSS-Protection header is missing, which could make it easier to Cross-site scripting (XSS) exploration, as on the reviewed site, does not have any filter that could prevent exploitation of this security hole. XSS vulnerability happens due to a parameter that is not well filtered and ends up reflecting entirely everything that is typed by the user via the URL, including HTML tags and JavaScript codes.\nIf successfully exploited this vulnerability could allow that an attacker could craft a fake page within the sitetrue what would bring about a legitimacy in the coup. Furthermore, as this is a flaw in the site, mechanisms for third party protection would be ineffective.\nIf the user's session is shared with other subdomains and the victim is logged in the moment they click the malicious link, an attacker who injected malicious code could capture the victim's session without having to collect passwords and would have the same access privileges as that user. This situation becomes even more serious if a certain session captured for some administrative access, which could cause the elevation of an attacker's privileges or the exploitation of otherssecurity flaws.",
"raw": {}
},
{
"group": "Improper Access Control",
"name": "X-Content-Type-Options header is missing",
"severity": "warning",
"cve": [],
"cwe": [
693
],
"cvss": {
"score": 5.4,
"detail": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
"remediation": "Implement the X-Content-Type-Options header in the server response.",
"references": "https://cwe.mitre.org/data/definitions/693.html",
"description": "Failure to use X-Content-Type-Options header could allow an attacker to spoof a certain type of file that would be analyzed through MIME type detection, which could confuse the browser from its actual validation, where it would lead to the execution of othervulnerabilities such as Cross-site scripting. When a file does not have enough information to determine its origin, such as the presence of metadata, browsers determine the extension of that file, from its contents.\nThis type of behavior can become a security risk,if the browser misinterprets a given file in some form of uploading files, for example, a JPEG file could have been misinterpreted, if the content of your file existed HTML tags and Javascript codes, instead of the browser treating this extension as a corrupted image, would execute the codes typed by the user or in a malicious wayby falsifying a victim's request, after clicking a fake link or visiting a website controlled by an attacker.",
"raw": {}
}
]
},
"smtp_spoofing": {
"issues": [
{
"group": "Improper Control of a Resource Through its Lifetime",
"name": "The domain https://example.com may be vulnerable to email spoofing.",
"severity": "medium",
"cve": [],
"cwe": [
290
],
"cvss": {
"score": 5.3,
"detail": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"remediation": "Set up DMARC, DKIM, and SPF for email security. DMARC requires creating a record in your domain's DNS, detailing report address and message failure policy. DKIM involves generating a public/private key pair, publishing the public key in DNS as a TXT record, and configuring your email server to sign messages with the private key. SPF requires creating a DNS record that lists authorized email servers for your domain. Setup can vary with different email server software and hosting providers; check your specific setup's documentation.",
"references": "https://cwe.mitre.org/data/definitions/290.html",
"description": "Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Assistant: ['https://example.com has no SPF record!', 'No DMARC record found. Looking for organizational record', 'No organizational DMARC record']",
"raw": {}
}
]
}
},
"identificator": "f8fd4e06-5164-11ee-a5a3-0a03e0f5f0de",
"issuesSummary": {
"critical": 1,
"high": 0,
"medium": 1,
"low": 1,
"warning": 2
},
"totalChecked": 24117,
"information": {
"services": [
{
"state": "open",
"reason": "syn-ack",
"name": "http",
"product": "Edgecast CDN httpd",
"version": "",
"port": 80
},
{
"state": "open",
"reason": "syn-ack",
"name": "http",
"product": "Edgecast CDN httpd",
"version": "",
"port": 443
},
{
"state": "closed",
"reason": "reset",
"name": "bnetgame",
"product": "",
"version": "",
"port": ""
},
{
"state": "closed",
"reason": "reset",
"name": "rtmp",
"product": "",
"version": "",
"port": ""
}
],
"emails": [],
"components": {
"Azure": null,
"Docker": null,
"Amazon Web Services": null,
"Amazon ECS": null,
"DigiCert": null,
"Azure CDN": null
},
"database": {},
"web_server": {},
"os": {},
"cdn": null,
"cms": null,
"certificate": [
{
"Issue On": {
"$date": 1673593200.0
},
"Expires On": {
"$date": 1707893999.0
},
"commonName": "DigiCert TLS RSA SHA256 2020 CA1",
"subject": "www.example.org",
"sha1": "F2:AA:D7:3D:32:68:3B:71:6D:2A:7D:61:B5:1C:6D:57:64:AB:38:99",
"sha256": "5E:F2:F2:14:26:0A:B8:F5:8E:55:EE:A4:2E:4A:C0:4B:0F:17:18:07:D8:D1:18:5F:DD:D6:74:70:E9:AB:60:96",
"serial_number": "0c:1f:cb:18:45:18:c7:e3:86:67:41:23:6d:6b:73:f1",
"subjectAltName": [
"www.example.org",
"example.net",
"example.edu",
"example.com",
"example.org",
"www.example.com",
"www.example.edu",
"www.example.net"
]
},
{
"Issue On": {
"$date": 1618380000.0
},
"Expires On": {
"$date": 1933912799.0
},
"commonName": "DigiCert Global Root CA",
"subject": "DigiCert TLS RSA SHA256 2020 CA1",
"sha1": "1C:58:A3:A8:51:8E:87:59:BF:07:5B:76:B7:50:D4:F2:DF:26:4F:CD",
"sha256": "52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14",
"serial_number": "06:d8:d9:04:d5:58:43:46:f6:8a:2f:a7:54:22:7e:c4"
}
],
"waf": [
"Edgecast (Verizon Digital Media)"
],
"ips": [
"93.184.216.34"
],
"isp": "Verizon Business",
"total_checked": 24117
},
"preferences": {
"scan_type": "full",
"leak_data_usage": 0,
"cms_brute_force": 0,
"scan_speed": "fast",
"web_brute_force": 0,
"search_in_web_cache": false,
"scan_deep": 3
},
"percentage": "100.00",
"startDate": "2023-09-12T12:07:41.099421Z",
"endDate": "2023-09-12T12:13:52.026544Z"
}List scans
Lists all scans for a given user. Scans initiated through the dashboard will also appear here.
Request
Example cURL request
curl --location 'https://api.vscanner.ai/v1/api/list_scans' \
--header 'Authorization: Bearer <API_KEY>'Example Python request
import requests
api_key = <API_KEY>
url = "https://api.vscanner.ai/v1/api/list_scans"
payload={}
headers = {
'Authorization': f"Bearer {api_key}",
}
response = requests.request("GET", url, headers=headers, data=payload)
print(response.json())*Filling in the API_KEY value is mandatory.
Return
The request response, in JSON format, contains a list of objects with identifier and the date when the scan started.
Successful response
JSON (Click to expand)
[
{
"url": "example.com",
"scans": [
{
"id": "c8697aea-27dd-11ee-8393-86cc806e9f71",
"startDate": 1689954399,
"progress": 95.83
},
{
"id": "fdeaa720-27d8-11ee-8393-86cc806e9f71",
"startDate": 1689952342,
"progress": 100.0
},
{
"id": "6057209a-1ff6-11ee-90ac-6e4807aa4dd0",
"startDate": 1689085353,
"progress": 100.0
}
],
"total": 3
},
{
"url": "testphp.vulnweb.com",
"scans": [
{
"id": "42492b9a-27d8-11ee-8393-86cc806e9f71",
"startDate": 1689952027,
"progress": 100.0
},
{
"id": "c76e8ca6-2748-11ee-b52c-62dd9b1e49be",
"startDate": 1689890403,
"progress": 100.0
}
],
"total": 2
}
]Issue Groups
Each vulnerability found by VScanner is referred to as an 'issue'. Every issue discovered belongs to a specific category, identified by its group ID.
Below is a table that lists all possible group IDs that VScanner can return, along with their respective descriptions.
Last updated