Patronus API

The Patronus API Developer Hub

Welcome to the Patronus API developer hub. You'll find comprehensive guides and documentation to help you start working with our pentest module as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    API Reference

Pentest Report

Working with the Scan Results:

After the scan is finished, you can retrieve the penetration test results in JSON format.

Meta Section

At the top of the file, you can get a first impression of the scan results and answer basic questions:

  • How long did the test run take?
  • How many URLs were crawled?
  • How many tests were conducted?
  • How many possible vulnerabilities did the pentester find?
{
  "jobId": "6f6ba55b-4679-46cc-93ae-f9a92c3c45f1",
  "projectHash": "2aa3aafb-9c1f-43bd-b29f-ae6e836cece2",
  "report": {
    "hits": 361,
    "urls": 1009,
    "start": 1540462633,
    "end": 1540465433,
    "tests": 2810,
    "data": [
      ...
    ]
  }  
}    
Field
Description

jobId

The Job-ID of this run

projectHash

The project this job was executed for

hits

The number of possible vulnerabilities the penetration tester did find

urls

The number of crawled URLs

start / end

Unix timestamp when the job started / ended

test

The number of tests run by the penetration tester

data

The array containing infos about the found vulnerabilities.
More info below

Once you have a basic understanding of the test results, you can dive into the details and validate each detected vulnerability. The common approach would be to validate each vulnerability yourself in the browser or similar tools.

For each attack vector, you will be able to answer the following questions:

  • Under which URL was it possible to conduct an attack?
  • Which attack type was found?
  • What type of request was used?
  • What payload was submitted to simulate an attack?

Found Vulnerabilities

The report.data-array contains additional info about each possible vulnerability it found.

Identical forms are only tested once

Some forms and parameters may be on many pages of your website.
Typically these are:

  • Search-bars
  • Comment forms
  • Login forms

If the fields and actions of these forms are identical on each site we group them, to reduce the amount of tests run.
This may result in less alarming test results, as the vulnerability might only be shown once in the report, but actually addresses way more problems.

{
  "url": "https://example.com/wavsep/active/RFI/RFI-Detection-Evaluation-POST-200Error/Case03-RFI-UrlClass-FilenameContext-Unrestricted-HttpURL-DefaultInvalidInput-AnyPathReq-Read.jsp",
  "module": "XSS",
  "method": "POST",
  "poc": "target=%3Cscript%3Ealert('P4tronus')%3C%2Fscript%3E",
  "pocs": [
    "target=%3Cscript%3Ealert('P4tronus')%3C%2Fscript%3E",
    "target=%3CScript%3Ealert('Patronu5')%3B%3C%2Fscript%3E",
    "target=%22%3E%3Cscript%3Ealert(%22Patronus%22)%3B%3C%2Fscript%3E"
  ],
  "payload": "target=%3Cscript%3Ealert('P4tronus')%3C%2Fscript%3E"
}
Field
Description

url

The URL where a vulnerability was detected.

module

The module that found the vulnerability.
Examples:

  • XSS
  • SQLi
  • LFi
  • OSCi

method

The HTTP-Method that was used for that simulated attack.

poc

The proof of concept that was used and verified for the test to be accepted as a possible vulnerability.

pocs

Additional proof of concepts that also worked in that scenario.
This includes the single proof of concept.

payload

The message body or query parameters of the request.

Once you have validated and fixed the results, run the tests again, to see if the vulnerability was successfully fixed.

Need help with the results?

Getting started with a new security testing tool is hard. In case you need help with the interpretation of the results or what actions to conduct in order to fix vulnerabilities, get in touch under api@patronus.io.

Furthermore: We are always looking to optimize our scanner, so in case you validate false-positives, feel free to submit them with a short notice to api@patronus.io.

Pentest Report


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.