MENU
      getReport

        getReport


        Article summary

        Available in Classic and VPC

        Output a report of the diagnostic whose diagnostic task is complete.

        Request

        The following describes the request format for the endpoint. The request format is as follows:

        MethodURI
        PATCH/{instanceId}/report

        Request headers

        For headers common to Web Security Checker, see Web Security Checker common request headers.

        Request path parameters

        The following describes the parameters.

        FieldTypeRequiredDescription
        InstanceIdIntegerRequiredDiagnostic identification number

        Request example

        The following is a sample request.

        curl --location --request GET 'https://wsc.apigw.ntruss.com/api/v1/jobs/{instanceId}/report'
        --header 'x-ncp-apigw-timestamp: {Timestamp}'
        --header 'x-ncp-iam-access-key: {Access Key}'
        --header 'x-ncp-apigw-signature-v2: {API Gateway Signature}'
        --header 'Content-Type: application/json'
        Curl

        Response

        The following describes the response format.

        Response body

        The following describes the response body.

        FieldTypeRequiredDescription
        report_dateString-Diagnosis completion time
        Target_InfoString-Diagnosis target information
        Crawl_TimeString-Crawl operation time (YYYY/MM/DD hh:mm:ss~YYYY/MM/DD hh:mm:ss)
        Scan_TimeString-Diagnostic operation time (YYYY/MM/DD hh:mm:ss~YYYY/MM/DD hh:mm:ss)
        Excluded_UrlString-List of URLs excluded from diagnosis
        Login_InfoString-Authentication cookie information
        Vulnerability_CategoryString-Diagnosis categories listed (VulnTitle_1, VulnTitle_2, ...)
        User_AgentString-Diagnosis/Crawler browser settings
        MemoString-Notes made when creating the diagnostic job
        Scanned_Domain_ListArray-List of domains targeted for diagnosis
        Not_Scanned_Domain_ListArray-List of domains excluded from diagnosis
        Classify_byRisk_LevelObject-Vulnerability count by risk
        Classify_byRisk_Level.TotalInteger-Total vulnerability count
        Classify_byRisk_Level.HighInteger-"High" impact vulnerability count
        Classify_byRisk_Level.MediumInteger-"Medium" impact vulnerability count
        Classify_byRisk_Level.LowInteger-"Low" impact vulnerability count
        Classify_byRisk_DomainObject-Vulnerability count by domain and impact level
        Classify_byRisk_Domain."http://your-domain"Object-Vulnerability count of http://your-domain by risk level
        Classify_byRisk_Domain."http://your-domain"."VulnTitle_1"Object-Vulnerability count by risk level in the "VulnTitle_1" diagnostic item of http://your-domain
        Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".HighInteger-"High" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain
        Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".MediumInteger-"Medium" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain
        Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".LowInteger-"Low" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain
        Classify_byRisk_VulnerabilityObject-Vulnerability count by vulnerability
        Classify_byRisk_Vulnerability."VulnTitle_1"Integer-Vulnerability count in the "VulnTitle_1" diagnostic item
        Classify_byRisk_Vulnerability."VulnTitle_2"Integer-Vulnerability count in the "VulnTitle_2" diagnostic item
        DetailsObject-Details by diagnosis category
        Details."VulnTitle_1"Object-Vulnerability details for the "VulnTitle_1" category
        Details."VulnTitle_1".RiskLevelObject-Impact of vulnerabilities found when diagnosing "VulnTitle_1"
        • Low | Medium | High
        Details."VulnTitle_1".Vuln_DescObject-Description of vulnerabilities found when diagnosing "VulnTitle_1"
        • Descriptions may vary by vulnerability type
        Details."VulnTitle_1".Vuln_Desc2Object-Description of vulnerabilities found when diagnosing "VulnTitle_1"
        • Descriptions may vary by vulnerability type
        Details."VulnTitle_1"."0"Object-Details of the first vulnerability from the "VulnTitle_1" category
        Details."VulnTitle_1"."0".TitleObject-Vulnerability title + number
        Details."VulnTitle_1"."0".vuln_keyString-Unique key to distinguish vulnerabilities
        • Format: key form or domain_vulnerability_sequence
        • <E.g.> "http://example.com_LFI_0"
        Details."VulnTitle_1"."0".URLObject-Vulnerability occurrence pathway (web URL) and method
        Details."VulnTitle_1"."0".Request_HeaderObject-Information on the request header used to diagnose the vulnerability
        Details."VulnTitle_1"."0".RefererObject-Previous reference pathway (URL, referrer) from the request header information
        Details."VulnTitle_1"."0".Request_BodyObject-Request body area such as form data or JSON data
        Details."VulnTitle_1"."0".newlineBoolean-Display whether the list of response data fields is wrapped
        • true | false
          • true: wrapped
          • false: not wrapped
        Details."VulnTitle_1"."0".VulnParamString-Parameter name of the vulnerable URL query string or POST data
        Details."VulnTitle_1"."0".VulnSTRString-Payload injected by the vulnerability scanning module
        Details."VulnTitle_1"."0".Response_DataArray-Response body data list
        Details."VulnTitle_1"."0".DescriptionString-Additional description of the vulnerability attack method
        Details."VulnTitle_1"."0".ReferenceString-Link to external guidance documentation on countermeasures
        RecommendationObject-Vulnerability response measure details
        Recommendation."VulnTitle_1"String-Vulnerability countermeasure details for diagnostic item "VulnTitle_1"
        Recommendation."VulnTitle_2"String-Vulnerability countermeasure details for diagnostic item "VulnTitle_2"

        Response status codes

        For error codes common to Web Security Checker APIs, see Common Web Security Checker error codes.

        Response example

        The following is a sample example.

        • Diagnostic report output complete
        {
            "returnCode": "0",
            "returnDesc": "Request Success",
            "returnMessage": "Success",
            "resource": {
                "report_date": "2024-07-08 13:15:10",
                "Target_Info": "http://your-domain",
                "Crawl_Time": "2024/07/08 13:12:03~2024/07/08 13:12:08",
                "Scan_Time": "2024/07/08 13:12:27~2024/07/08 13:15:10",
                "Excluded_Url": [],
                "Login_Info": "",
                "Vulnerability_Category": "SQL Injection, XSS, .... (omitted)",
                "User_Agent": "Mozilla/5.0 .... (omitted)",
                "Memo": "Sample",
                "Scanned_Domain_List": [
                    "http://your-domain"
                ],
                "Not_Scanned_Domain_List": [
                    "http://www.w3.org",
                    "http://httpd.apache.org",
                    "https://bugs.launchpad.net"
                ],
                "Classify_byRisk_Level": {
                    "Total": 1,
                    "High": 0,
                    "Medium": 0,
                    "Low": 1
                },
                "Classify_byRisk_Domain": {
                    "http://your-domain": {
                        "XSS": {
                            "Low": 1
                        }
                    }
                },
                "Classify_byRisk_Vulnerability": {
                    "XSS": 1
                },
                "Details": {
                    "XSS": {
                        "RiskLevel": "Low",
                        "Vuln_Desc": "Cross-site scripting (XSS) vulnerabilities can be... (omitted)",
                        "Vuln_Desc2": "- The value entered from the user is in the correct range... (omitted)",
                        "0": {
                            "Title": "XSS #1",
                            "vuln_key": "http://your-domain_XSS_0",
                            "URL": "[GET]&nbsp;&nbsp;http://your-domain/....(omitted)",
                            "Request_Header": "",
                            "Referer": "",
                            "Request_Body": "",
                            "newline": "true",
                            "VulnParam": "",
                            "VulnSTR": "",
                            "Response_Data": [
                                "Allow: POST,OPTIONS,HEAD,GET"
                            ],
                            "Description": "",
                            "Reference": ""
                        }
                    }
                },
                "Recommendation": {
                    "XSS": "The value entered from the user is in the predictable... (omitted)"
                }
            }
        }
        JSON
        • Diagnostic report output error: Invalid InstanceId entered
        {
            "error": {
                "errorCode": 901,
                "message": "API Call Fail"
            }
        }
        JSON

        Sample code

        To output a diagnostic report, you need the Search diagnostics API and the Output diagnostic report API. You need to extract the value of instanceNo of the diagnostic for which you want to output a diagnostic report through the Search diagnostics API and call the Output diagnostic report API using this value.
        See getJobs or searchJobs for more information on how to search for diagnostics and check instanceNo, as well as sample code for those APIs.

        Sample code from a search with the Search diagnostics API (searchJobs) is as follows.

        • Search type: url
        • Keyword: target-domain.com
        # Request example
        $ python jobSearch.py "url target-domain.com"
        
        # Response example
        {
            "returnCode": "0",
            "returnDesc": "Request Success",
            "returnMessage": "Success",
            "resources": {
                "total_cnt": 1,
                "total_page_cnt": 1,
                "current_start_page": 1,
                "current_end_page": 1,
                "record_data": [
                    {
                        "instanceNo": "1234567890",
                        "start_date": "2024-07-09 15:37:04",
                        "end_date": "2024-07-09 15:39:54",
                        "status": "Diagnostics completed",
                        "progress": null,
                        "start_url": "http://target-domain.com",
                        "crawl_cnt": "1",
                        "scan_cnt": "1",
                        "memo": "Wsc Sample",
                        "result_button": "report",
                        "result_desc": "",
                        "rescan_button": "possible",
                        "slave_data": null
                    }
                ]
            }
        }
        Bash

        The following is sample code that generates a signature with the make_signature function to create a request head and then cancel it before diagnosing based on the request parameters entered, outputting the result if the response code is 200.

        import sys
        import os
        import hashlib
        import hmac
        import base64
        import requests
        import time
        import json
        from pprint import pprint
        
        def make_signature(method, uri, timestamp):
        
            access_key = "{accessKey}"  # access key id (from portal or sub account)
            secret_key = "{secretKey}"  # secret key (from portal or sub account)
            secret_key = bytes(secret_key, 'UTF-8')
        
            method = method
            uri = uri
        
            message = method + " " + uri + "\n" + timestamp + "\n" + access_key
            message = bytes(message, 'UTF-8')
            signingKey = base64.b64encode(hmac.new(secret_key, message, digestmod=hashlib.sha256).digest())
            return signingKey
        
        method = 'GET'
        instanceId = "{instanceId}" # instance id (from api)
        uri = f'/api/v1/jobs/{instanceId}/report'
        timestamp = str(int(time.time() * 1000))
        
        signature = make_signature(method, uri, timestamp)
        
        headers = {
            'x-ncp-apigw-signature-v2': signature.decode('utf-8'),
            'x-ncp-apigw-timestamp': timestamp,
            'x-ncp-iam-access-key': '{accessKey}', # access key id (from portal or sub account)
            'Content-Type': 'application/json'
        }
        
        response = requests.request(
            method,
            f"https://wsc.apigw.ntruss.com{uri}",
            headers=headers
        )
        
        if response.status_code == 200:
            pprint(json.loads(response.text))
        else:
            pprint(json.loads(response.text))
        Python
        Note

        The sample code is written in Python 3. See Call API in the API Gateway user guide for sample code written in other languages, such as Java and Node.js.


        Was this article helpful?

        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.