Authentication
Some API calls require authentication. These are colored yellow in the API Query list. Authentication is done in one of two ways:
- basic <username>:<password> (Not recommended)
- token <username>:<token>
- session <username>:<session id> (Recommended)
Authorization: basic user:password123or
Authorization: token user:679c2955085b46e48155b84f4c878844or
Authorization: session user:ea234b864515411d9d834e2bd561af98
PLEASE NOTE: Neither the password nor the token are obfuscated, so it is strongly advised to use HTTPS
Optional Headers
The following headers can be appended to any request:- Accept
- Version
Accept
The Accept argument may contain one of two categories:- */json (*/* will default to text/json)
- */plain
The */json choice will incapsulate all output with a status code, of the format:
{'status': 'success', 'data': <output of */plain>}
Version
The version of the API call. For backwards compatibility, when the version is not specified, version 1.0 (legacy) will be used and only plain text output will be used. As of version 1.1, the Accept header will be taken into account.Status Codes
Description
The request was handled correctly.Description
The skip parameter in your query could not be parsed as an integer.Description
The limit parameter in your query could not be parsed as an integer.Description
The authentication string provided in the Authorization header could not be parsed correctly.Check the "Authentication" section of the documentation.
Description
This request required authentication.Description
Authentication failed because the credentials provided were incorrect.Description
The url requested does not exist. You might need to check upper/lowercase, or revert back to the documentation.Description
A content type was requested (in the Accept header) which is not one of the following:- json
- plain
- application/*
- text/*
- */*
Description
These errors get thrown when the server experienced an error it did not expect.In case this happens, the server should print the error to the console.
API Queries
Description
Converts a CPE code to the CPE2.2 standard, stripped of appendices.CPE2.2 is the old standard, and is a lot less uniform than the CPE2.3 standard.
URL arguments
| Argument | Description | Example |
| cpe | CPE code in cpe2.2 or cpe2.3 format | cpe:2.3:o:microsoft:windows_vista:6.0:sp1:-:-:home_premium:-:-:x64:- |
Output
cpe:/o:microsoft:windows_vista:6.0:sp1:~~home_premium~~x64~
Description
Converts a CPE code to the CPE2.3 standard, stripped of appendices.CPE2.3 is the newer standard, and is a lot more uniform and easier to read than the CPE2.2 standard.
URL arguments
| Argument | Description | Example |
| cpe | CPE code in cpe2.2 or cpe2.3 format | cpe:/o:microsoft:windows_vista:6.0:sp1:~-~home_premium~-~x64~- |
Output
cpe:2.3:o:microsoft:windows_vista:6.0:sp1:-:-:home_premium:-:-:x64
Description
Outputs a list of CVEs related to the productURL arguments
| Argument | Description | Example |
| cpe | CPE code in cpe2.2 or cpe2.3 format | cpe:/o:microsoft:windows_vista:6.0:sp1:~-~home_premium~-~x64~- |
| limit | **OPTIONAL** Limit the amount of vulnerabilities to return, when set will sort results on cvss score | 0 = Default and returns all results |
Output
[
{
"cvss": 7.5,
"cvss-time": {
"$date": 1117762800000
},
"id": "CVE-2005-0100",
"impact": {
"availability": "PARTIAL",
"confidentiality": "PARTIAL",
"integrity": "PARTIAL"
},
...
Description
Outputs all available information for the specified CVE (Common Vulnerability and Exposure), in JSON format.This information includes basic CVE information like CVSS (Common Vulnerability Scoring System), related CPE (Common Product Enumeration), CWE (Common Weakness Enumeration), ... as well as additional information (RedHat Advisories etc).
URL arguments
| Argument | Description | Example |
| cveid | CVE number | CVE-2016-3333 |
Output
{
"cvss": "9.3",
"cvss-time": {
"$date": 1478779997053
},
"cwe": "CWE-119",
"id": "CVE-2016-3333",
"impact": {
"availability": "COMPLETE",
"confidentiality": "COMPLETE",
"integrity": "COMPLETE"
},
"last-modified": {
"$date": 1480345703170
},
...
Description
Outputs a list of all CWEs (Common Weakness Enumeration).Output
{
"Description": "This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).",
"id": "2",
"name": "7PK - Environment",
"relationships": [
"11",
"12",
"13",
"14",
"5",
"6",
"7",
"8",
"9"
],
"status": "Draft",
"weaknessabs": "Category"
},
{
"Description": "The application configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.The application configuration should ensure that SSL or an encryption mechanism of equivalent strength and vetted reputation is used for all access-controlled pages.",
"id": "5",
"name": "J2EE Misconfiguration: Data Transmission Without Encryption",
"related_weaknesses": [
"319"
],
"status": "Draft",
"weaknessabs": "Variant"
},
{
"Description": "A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.",
"id": "6",
"name": "J2EE Misconfiguration: Insufficient Session-ID Length",
"related_weaknesses": [
"334"
],
"status": "Incomplete",
"weaknessabs": "Variant"
},
{
"Description": "Verify return values are correct and do not supply sensitive information about the system.Verify return values are correct and do not supply sensitive information about the system.",
"id": "7",
"name": "J2EE Misconfiguration: Missing Custom Error Page",
"related_weaknesses": [
"756"
],
"status": "Incomplete",
"weaknessabs": "Variant"
},
...
Description
Returns a CWEs (Common Weakness Enumeration) by it's id.Output
[
{
"description_summary": "Information sent over a network can be compromised while in transit. An attacker may be able to read/modify the contents if the data are sent in plaintext or are weakly encrypted.Information sent over a network can be compromised while in transit. An attacker may be able to read/modify the contents if the data are sent in plaintext or are weakly encrypted.",
"id": "5",
"name": "J2EE Misconfiguration: Data Transmission Without Encryption",
"status": "Draft",
"weaknessabs": "Variant"
},
...
Description
Outputs a list of CAPEC related to a CWE.CAPEC (Common Attack Pattern Enumeration and Classification) are a list of attack types commonly used by attackers.
URL arguments
| Argument | Description | Example |
| cweid | CWE ID | 200 |
Output
[
{
"execution_flow": {},
"id": "271",
"loa": "Low",
"name": "Schema Poisoning",
"prerequisites": "Some level of access to modify the target schema. The schema used by the target application must be improperly secured against unauthorized modification and manipulation.",
"related_capecs": [
"176"
],
"related_weakness": [
"15"
],
"solutions": "Design: Protect the schema against unauthorized modification. Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the schema document. Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.",
"summary": "An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.",
"taxonomy": {},
"typical_severity": "High"
},
{
"execution_flow": {
"1": {
"Description": "The attacker probes for programs running with elevated privileges.",
"Phase": "Explore",
"Techniques": []
},
"2": {
"Description": "The attacker finds a bug in a program running with elevated privileges.",
"Phase": "Explore",
"Techniques": []
},
"3": {
"Description": "The attacker exploits the bug that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.",
"Phase": "Exploit",
"Techniques": []
}
},
"id": "69",
"loa": "High",
"name": "Target Programs with Elevated Privileges",
"prerequisites": "The targeted program runs with elevated OS privileges. The targeted program accepts input data from the user or from another program. The targeted program does not perform input validation properly. The targeted program does not fail safely. For instance when a program fails it may authorize restricted access to anyone. The targeted program has a vulnerability such as buffer overflow which may be exploited if a malicious user can inject unvalidated data. For instance a buffer overflow interrupts the program as it executes, and makes it run additional code supplied by the attacker. If the program under attack has elevated privileges to the OS, the attacker can elevate its privileges (such as having root level access). The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker. This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target.",
"related_capecs": [
"10",
"233",
"67",
"8",
"9"
],
"related_weakness": [
"15",
"250",
"264"
],
"solutions": "Apply the principle of least privilege. Validate all untrusted data. Apply the latest patches. Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them. Avoid revealing information about your system (e.g., version of the program) to anonymous users. Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs. If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage. Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code. Monitor traffic and resource usage and pay attention if resource exhaustion occurs. Protect your log file from unauthorized modification and log forging.",
"summary": "This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.",
"taxonomy": {},
"typical_severity": "Very High"
},
{
"execution_flow": {
"1": {
"Description": "The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc.",
"Phase": "Explore",
"Techniques": []
},
"2": {
"Description": "The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls.",
"Phase": "Experiment",
"Techniques": []
},
"3": {
"Description": "The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged resources.",
"Phase": "Exploit",
"Techniques": []
}
},
"id": "13",
"loa": "High",
"name": "Subverting Environment Variable Values",
"prerequisites": "An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable.",
"related_capecs": [
"10",
"14",
"77"
],
"related_weakness": [
"15",
"20",
"200",
"285",
"302",
"353",
"73",
"74"
],
...
Description
Outputs a CAPEC specified by it's id.CAPEC (Common Attack Pattern Enumeration and Classification) are a list of attack types commonly used by attackers.
URL arguments
| Argument | Description | Example |
| capecid | CAPEC ID | 13 |
Output
[
{
"id": "13",
"name": "Subverting Environment Variable Values",
"prerequisites": "An environment variable is accessible to the user.\nAn environment variable used by the application can be tainted with user supplied data.\nInput data used in an environment variable is not validated properly.\nThe variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable.",
"related_weakness": [
"353",
"285",
"302",
"74",
"15",
"73",
"20",
"200"
],
"solutions": "Protect environment variables against unauthorized read and write access.\nProtect the configuration files which contain environment variables against illegitimate read and write access.\nAssume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.\nApply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.",
"summary": "The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker."
},
...
Description
Outputs the last n amount of vulnerabilities. If the limit is not specified, the default of 30 is used.URL arguments
| Argument | Description | Example |
| limit | The amount of CVEs to display | 10 |
Output
[
{
"Modified": {
"$date": 1485277140307
},
"Published": {
"$date": 1485277140307
},
"cvss": null,
"cwe": "Unknown",
"id": "CVE-2016-10162",
"last-modified": {
"$date": 1485277140307
},
"references": [
"http://php.net/ChangeLog-7.php",
"https://bugs.php.net/bug.php?id=73831",
"https://github.com/php/php-src/commit/8d2539fa0faf3f63e1d1e7635347c5b9e777d47b"
],
"summary": "The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.",
"vulnerable_configuration": [],
"vulnerable_configuration_cpe_2_2": []
},
...
Description
Returns a list of CVEs matching the criteria of the filters specified in the headers.Headers
| Argument | Description | Example |
| rejected | Hide or show rejected CVEs | show(default)/hide |
| cvss_score | CVSS score | 6.8 |
| cvss_modifier | Select the CVSS score of the CVEs related to cvss_score | above/equals/below |
| time_start | Earliest time for a CVE | dd-mm-yyyy or dd-mm-yy format, using - or / |
| time_end | Latest time for a CVE | dd-mm-yyyy or dd-mm-yy format, using - or / |
| time_modifier | Timeframe for the CVEs, related to the start and end time | from/until/between/outside |
| time_type | Select which time is used for the filter | Modified/Published/last-modified |
| skip | Skip the n latest vulnerabilities | 50 |
| limit | Limit the amount of vulnerabilities to return | 20 |
Output
[
{
"Modified": {
"$date": 1480730341713
},
"Published": {
"$date": 1480730340167
},
"cvss": 10.0,
"cwe": "CWE-287",
"id": "CVE-2016-9796",
"last-modified": {
"$date": 1481117600060
},
"references": [
"http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html",
"http://www.securityfocus.com/bid/94649",
"https://github.com/malerisch/omnivista-8770-unauth-rce",
"https://www.youtube.com/watch?v=aq37lQKa9sk"
],
"summary": "Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\\SYSTEM on the server. NOTE: The discoverer states \"The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server.\"",
"vulnerable_configuration": [
"cpe:2.3:a:alcatel-lucent:omnivista_8770_network_management_system:2.6",
...
Description
Returns a list of vendors or products of a specific vendor.This API call can be used in two ways; With or without the vendor.
When the link is called without a vendor, it will return a list of possible vendors.
When the link is called with a vendor, it enumerates the products for said vendor.
URL arguments
| Argument | Description | Example |
| vendor | Vendor name | microsoft |
Output
{
"product": null,
"vendor": [
"%240.99_kindle_books_project",
"1024cms",
"11in1",
"129zou",
"12net",
"133",
"163",
"1800contacts",
"1kxun",
"2g_live_tv_project",
...
{
"vendor": "microsoft"
"product": [
".net_framework",
".net_windows_server",
"access",
"access_multilingual_user_interface_pack",
"active_directory",
"active_directory_application_mode",
"active_directory_federation_services",
...
Description
When vendor and product are specified, this API call returns a list of CVEs related to the product. The output of the browse call can be used for this.URL arguments
| Argument | Description | Example |
| vendor | Vendor name | microsoft |
| product | Product name | excel |
Output
[
{
"Modified": {
"$date": 1480347506210
},
"Published": {
"$date": 1478743189440
},
"access": {
"authentication": "NONE",
"complexity": "MEDIUM",
"vector": "NETWORK"
},
"cvss": "9.3",
"cvss-time": {
"$date": 1478772824700
},
"cwe": "CWE-119",
"id": "CVE-2016-7236",
"impact": {
"availability": "COMPLETE",
"confidentiality": "COMPLETE",
"integrity": "COMPLETE"
},
...
Description
Returns all CVEs that are linked by a given key/value pairURL arguments
| Argument | Description | Example |
| key | The key to link CVEs on | msbulletin.bulletin_id |
| value | The value for the given key | MS16-098 |
Output
{
"stats": {
"count": 4,
"maxCVSS": 7.2,
"minCVSS": 7.2
},
"cves": [
{
"Modified": {
"$date": 1474927194753
},
"Published": {
"$date": 1470765557223
},
"access": {
"authentication": "NONE",
"complexity": "LOW",
"vector": "LOCAL"
},
"cvss": "7.2",
"cvss-time": {
"$date": 1470923642083
},
"cwe": "CWE-264",
"id": "CVE-2016-3310",
"impact": {
"availability": "COMPLETE",
"confidentiality": "COMPLETE",
"integrity": "COMPLETE"
},
...
Description
Returns the stats of the database. When the user authenticates, more information is returned. This information includes:- Amount of whitelist and blacklist records
- Some server settings like the database name
- Some database information like disk usage
Output
{
"capec": {
"last_update": {
"$date": 1417734881000
},
"size": 463
},
"cpe": {
"last_update": {
"$date": 1485582988000
},
"size": 117276
},
"cpeOther": {
"last_update": null,
"size": 0
},
"cves": {
"last_update": {
"$date": 1485781223000
},
"size": 81284
},
"cwe": {
"last_update": {
"$date": 1406765683000
},
"size": 719
},
"via4": {
"last_update": {
"$date": 1485703986000
},
"size": 81143
}
}