Available in Classic and VPC
Output a report of the diagnostic whose diagnostic task is complete.
Request
This section describes the request format. The method and URI are as follows:
| Method | URI |
|---|---|
| GET | /{instanceId}/report |
Request headers
For headers common to Web Security Checker, see Web Security Checker common request headers.
Request path parameters
The following describes the parameters.
| Field | Type | Required | Description |
|---|---|---|---|
| InstanceId | Integer | Required | Diagnostic identification number
|
Request example
The request example is as follows:
curl --location --request GET 'https://wsc.apigw.ntruss.com/api/v1/jobs/{instanceId}/report'
--header 'x-ncp-apigw-timestamp: {Timestamp}'
--header 'x-ncp-iam-access-key: {Access Key}'
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}'
--header 'Content-Type: application/json'
Response
This section describes the response format.
Response body
The response body includes the following data:
| Field | Type | Required | Description |
|---|---|---|---|
report_date |
String | - | Diagnosis completion time |
Target_Info |
String | - | Diagnosis target information |
Crawl_Time |
String | - | Crawl operation time (YYYY/MM/DD hh:mm:ss~YYYY/MM/DD hh:mm:ss) |
Scan_Time |
String | - | Diagnostic operation time (YYYY/MM/DD hh:mm:ss~YYYY/MM/DD hh:mm:ss) |
Excluded_Url |
String | - | List of URLs excluded from diagnosis |
Login_Info |
String | - | Authentication cookie information |
Vulnerability_Category |
String | - | Diagnosis categories listed (VulnTitle_1, VulnTitle_2, ...) |
User_Agent |
String | - | Diagnosis/Crawler browser settings |
Memo |
String | - | Notes made when creating the diagnostic job |
Scanned_Domain_List |
Array | - | List of domains targeted for diagnosis |
Not_Scanned_Domain_List |
Array | - | List of domains excluded from diagnosis |
Classify_byRisk_Level |
Object | - | Vulnerability count by risk |
Classify_byRisk_Level.Total |
Integer | - | Total vulnerability count |
Classify_byRisk_Level.High |
Integer | - | "High" impact vulnerability count |
Classify_byRisk_Level.Medium |
Integer | - | "Medium" impact vulnerability count |
Classify_byRisk_Level.Low |
Integer | - | "Low" impact vulnerability count |
Classify_byRisk_Domain |
Object | - | Vulnerability count by domain and impact level |
Classify_byRisk_Domain."http://your-domain" |
Object | - | Vulnerability count of http://your-domain by risk level |
Classify_byRisk_Domain."http://your-domain"."VulnTitle_1" |
Object | - | Vulnerability count by risk level in the "VulnTitle_1" diagnostic item of http://your-domain |
Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".High |
Integer | - | "High" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain |
Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".Medium |
Integer | - | "Medium" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain |
Classify_byRisk_Domain."http://your-domain"."VulnTitle_1".Low |
Integer | - | "Low" impact vulnerability count in the "VulnTitle_1" diagnostic item of http://your-domain |
Classify_byRisk_Vulnerability |
Object | - | Vulnerability count by vulnerability |
Classify_byRisk_Vulnerability."VulnTitle_1" |
Integer | - | Vulnerability count in the "VulnTitle_1" diagnostic item |
Classify_byRisk_Vulnerability."VulnTitle_2" |
Integer | - | Vulnerability count in the "VulnTitle_2" diagnostic item |
Details |
Object | - | Details by diagnosis category |
Details."VulnTitle_1" |
Object | - | Vulnerability details for the "VulnTitle_1" category |
Details."VulnTitle_1".RiskLevel |
Object | - | Impact of vulnerabilities found when diagnosing "VulnTitle_1"
|
Details."VulnTitle_1".Vuln_Desc |
Object | - | Description of vulnerabilities found when diagnosing "VulnTitle_1"
|
Details."VulnTitle_1".Vuln_Desc2 |
Object | - | Description of vulnerabilities found when diagnosing "VulnTitle_1"
|
Details."VulnTitle_1"."0" |
Object | - | Details of the first vulnerability from the "VulnTitle_1" category |
Details."VulnTitle_1"."0".Title |
Object | - | Vulnerability title + number |
Details."VulnTitle_1"."0".vuln_key |
String | - | Unique key to distinguish vulnerabilities
|
Details."VulnTitle_1"."0".URL |
Object | - | Vulnerability occurrence pathway (web URL) and method |
Details."VulnTitle_1"."0".Request_Header |
Object | - | Information on the request header used to diagnose the vulnerability |
Details."VulnTitle_1"."0".Referer |
Object | - | Previous reference pathway (URL, referrer) from the request header information |
Details."VulnTitle_1"."0".Request_Body |
Object | - | Request body area such as form data or JSON data |
Details."VulnTitle_1"."0".newline |
Boolean | - | Display whether the list of response data fields is wrapped
|
Details."VulnTitle_1"."0".VulnParam |
String | - | Parameter name of the vulnerable URL query string or POST data |
Details."VulnTitle_1"."0".VulnSTR |
String | - | Payload injected by the vulnerability scanning module |
Details."VulnTitle_1"."0".Response_Data |
Array | - | Response body data list |
Details."VulnTitle_1"."0".Description |
String | - | Additional description of the vulnerability attack method |
Details."VulnTitle_1"."0".Reference |
String | - | Link to external guidance documentation on countermeasures |
Recommendation |
Object | - | Vulnerability response measure details |
Recommendation."VulnTitle_1" |
String | - | Vulnerability countermeasure details for diagnostic item "VulnTitle_1" |
Recommendation."VulnTitle_2" |
String | - | Vulnerability countermeasure details for diagnostic item "VulnTitle_2" |
Response status codes
For error codes common to Web Security Checker APIs, see Common Web Security Checker error codes.
Response example
The response example is as follows:
-
Diagnostic report output complete
{ "returnCode": "0", "returnDesc": "Request Success", "returnMessage": "Success", "resource": { "report_date": "2024-07-08 13:15:10", "Target_Info": "http://your-domain", "Crawl_Time": "2024/07/08 13:12:03~2024/07/08 13:12:08", "Scan_Time": "2024/07/08 13:12:27~2024/07/08 13:15:10", "Excluded_Url": [], "Login_Info": "", "Vulnerability_Category": "SQL Injection, XSS, .... (omitted)", "User_Agent": "Mozilla/5.0 .... (omitted)", "Memo": "Sample", "Scanned_Domain_List": [ "http://your-domain" ], "Not_Scanned_Domain_List": [ "http://www.w3.org", "http://httpd.apache.org", "https://bugs.launchpad.net" ], "Classify_byRisk_Level": { "Total": 1, "High": 0, "Medium": 0, "Low": 1 }, "Classify_byRisk_Domain": { "http://your-domain": { "XSS": { "Low": 1 } } }, "Classify_byRisk_Vulnerability": { "XSS": 1 }, "Details": { "XSS": { "RiskLevel": "Low", "Vuln_Desc": "Cross-site scripting (XSS) vulnerabilities can be... (omitted)", "Vuln_Desc2": "- The value entered from the user is in the correct range... (omitted)", "0": { "Title": "XSS #1", "vuln_key": "http://your-domain_XSS_0", "URL": "[GET] http://your-domain/....(omitted)", "Request_Header": "", "Referer": "", "Request_Body": "", "newline": "true", "VulnParam": "", "VulnSTR": "", "Response_Data": [ "Allow: POST,OPTIONS,HEAD,GET" ], "Description": "", "Reference": "" } } }, "Recommendation": { "XSS": "The value entered from the user is in the predictable... (omitted)" } } } -
Diagnostic report output error: Invalid
InstanceIdentered{ "error": { "errorCode": 901, "message": "API Call Fail" } }
Sample code
To output a diagnostic report, you need the Search diagnostics API and the Output diagnostic report API. You need to extract the value of instanceNo of the diagnostic for which you want to output a diagnostic report through the Search diagnostics API and call the Output diagnostic report API using this value.
See getJobs or searchJobs for more information on how to search for diagnostics and check instanceNo, as well as sample code for those APIs.
Sample code from a search with the Search diagnostics API (searchJobs) is as follows:
- Search type:
url - Keyword:
target-domain.com
# Request example
$ python jobSearch.py "url target-domain.com"
# Response example
{
"returnCode": "0",
"returnDesc": "Request Success",
"returnMessage": "Success",
"resources": {
"total_cnt": 1,
"total_page_cnt": 1,
"current_start_page": 1,
"current_end_page": 1,
"record_data": [
{
"instanceNo": "1234567890",
"start_date": "2024-07-09 15:37:04",
"end_date": "2024-07-09 15:39:54",
"status": "Diagnostics completed",
"progress": null,
"start_url": "http://target-domain.com",
"crawl_cnt": "1",
"scan_cnt": "1",
"memo": "Wsc Sample",
"result_button": "report",
"result_desc": "",
"rescan_button": "possible",
"slave_data": null
}
]
}
}
The following is sample code that generates a signature with the make_signature function to create a request head and then cancel it before diagnosing based on the request parameters entered, outputting the result if the response code is 200.
import sys
import os
import hashlib
import hmac
import base64
import requests
import time
import json
from pprint import pprint
def make_signature(method, uri, timestamp):
access_key = "{accessKey}" # access key id (from portal or sub account)
secret_key = "{secretKey}" # secret key (from portal or sub account)
secret_key = bytes(secret_key, 'UTF-8')
method = method
uri = uri
message = method + " " + uri + "\n" + timestamp + "\n" + access_key
message = bytes(message, 'UTF-8')
signingKey = base64.b64encode(hmac.new(secret_key, message, digestmod=hashlib.sha256).digest())
return signingKey
method = 'GET'
instanceId = "{instanceId}" # instance id (from api)
uri = f'/api/v1/jobs/{instanceId}/report'
timestamp = str(int(time.time() * 1000))
signature = make_signature(method, uri, timestamp)
headers = {
'x-ncp-apigw-signature-v2': signature.decode('utf-8'),
'x-ncp-apigw-timestamp': timestamp,
'x-ncp-iam-access-key': '{accessKey}', # access key id (from portal or sub account)
'Content-Type': 'application/json'
}
response = requests.request(
method,
f"https://wsc.apigw.ntruss.com{uri}",
headers=headers
)
if response.status_code == 200:
pprint(json.loads(response.text))
else:
pprint(json.loads(response.text))
Note
The sample code is written in Python 3. See Call API in the API Gateway user guide for sample code written in other languages, such as Java and Node.js.