pentestnet API

Your API Status

Current Plan

None

0 queries/month

API Key

YOUR_API_KEY

Log In or Register to start using the API

Basic Usage

GET https://pentestnet.com/api

For API Plan Users

https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com
GET https://pentestnet.com/api-plus

For API Plus Plan Users

https://pentestnet.com/api-plus/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com

Scan Modes

GET https://pentestnet.com/api (or api-plus)

Mode: security

This mode scans the target for SSL/TLS, XSS, SQLi and Security Headers. See Response

https://pentestnet.com/api/YOUR_API_KEY?mode=security&url=www.example.com
GET https://pentestnet.com/api (or api-plus)

Mode: headers

This mode scans the target for Security Headers. See Response

https://pentestnet.com/api/YOUR_API_KEY?mode=headers&url=www.example.com
GET https://pentestnet.com/api (or api-plus)

Mode: sqli

This mode scans the target for SQL Injection. See Response

https://pentestnet.com/api/YOUR_API_KEY?mode=sqli&url=www.example.com
GET https://pentestnet.com/api (or api-plus)

Mode: xss

This mode scans the target for Cross-Site Scripting. See Response

https://pentestnet.com/api/YOUR_API_KEY?mode=xss&url=www.example.com
GET https://pentestnet.com/api (or api-plus)

Mode: subdomains

This mode scans the target for 500 common subdomains. Only found subdomains will be returned. See Response

https://pentestnet.com/api/YOUR_API_KEY?mode=subdomains&url=www.example.com

Code Examples

JavaScript 
// Using the Fetch API
fetch('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com')
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Error:', error));

// Using async/await
async function fetchData() {
  try {
    const response = await fetch('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com');
    const data = await response.json();
    console.log(data);
  } catch (error) {
    console.error('Error:', error);
  }
}
cURL 
curl -X GET https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com
Python 
import requests

response = requests.get('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com')
data = response.json()
print(data)
Node.js 
const fetch = require('node-fetch');

fetch('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com')
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Error:', error));
Ruby 
require 'net/http'
require 'json'

uri = URI('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com')
response = Net::HTTP.get(uri)
data = JSON.parse(response)
puts data
PHP 
$response = file_get_contents('https://pentestnet.com/api/YOUR_API_KEY?mode=SCAN_MODE&url=www.example.com');
$data = json_decode($response, true);
print_r($data);

Example Responses

200 OK Mode: security 

{
    "url": "www.example.com",
    "status": "success",
    "score": 60.0,
    "warnings": 3,
    "criticals": 0,
    "missing_headers": 4,
    "ssl": {
        "http_to_https": true,
        "https_supported": true,
        "issuer": "DigiCert Inc",
        "notAfter": "2025-02-12 23:59:59",
        "notBefore": "2024-11-14 00:00:00",
        "serialNumber": "1412955207862392388904228966715892244",
        "ssl_certificate_is_valid": true
    },
    "sqli": {
        "forms_found": 4,
        "is_blind_sqli_vulnerable": false,
        "is_sqli_vulnerable": false
    },
    "xss": {
        "forms_found": 4,
        "is_xss_vulnerable": false,
        "payload": "None"
    },
    "security_headers": {
        "content-security-policy": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "permissions-policy": {
            "contents": "unload=()",
            "defined": true,
            "notes": [
                "Privacy-sensitive feature 'camera' is not restricted to specific origins.",
                "Privacy-sensitive feature 'geolocation' is not restricted to specific origins.",
                "Privacy-sensitive feature 'microphone' is not restricted to specific origins.",
                "Privacy-sensitive feature 'payment' is not restricted to specific origins."
            ],
            "warn": true
        },
        "referrer-policy": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "server": {
            "contents": "gws",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "strict-transport-security": {
            "contents": "max-age=31536000",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "x-content-type-options": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "x-frame-options": {
            "contents": "SAMEORIGIN",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "x-xss-protection": {
            "contents": "0",
            "defined": true,
            "notes": [],
            "warn": false
        }
    }
}
200 OK Mode: headers 

{
    "url": "www.example.com",
    "status": "success",
    "security_headers": {
        "content-security-policy": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "permissions-policy": {
            "contents": "unload=()",
            "defined": true,
            "notes": [
                "Privacy-sensitive feature 'camera' is not restricted to specific origins.",
                "Privacy-sensitive feature 'geolocation' is not restricted to specific origins.",
                "Privacy-sensitive feature 'microphone' is not restricted to specific origins.",
                "Privacy-sensitive feature 'payment' is not restricted to specific origins."
            ],
            "warn": true
        },
        "referrer-policy": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "server": {
            "contents": "gws",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "strict-transport-security": {
            "contents": "max-age=31536000",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "x-content-type-options": {
            "contents": null,
            "defined": false,
            "notes": [],
            "warn": true
        },
        "x-frame-options": {
            "contents": "SAMEORIGIN",
            "defined": true,
            "notes": [],
            "warn": false
        },
        "x-xss-protection": {
            "contents": "0",
            "defined": true,
            "notes": [],
            "warn": false
        }
    }
}
200 OK Mode: sqli 

{
    "url": "www.example.com",
    "status": "success",
    "sqli": {
        "forms_found": 4,
        "is_blind_sqli_vulnerable": false,
        "is_sqli_vulnerable": false
    }
}
200 OK Mode: xss 

{
    "url": "www.example.com",
    "status": "success",
    "xss": {
        "forms_found": 4,
        "is_xss_vulnerable": false,
        "payload": "None"
    }
}
200 OK Mode: subdomains 

{
    "url": "www.example.com",
    "ip": "0.0.0.0"
    "status": "success",
    "subdomains": {
      {
        "domain": "www",
        "ip": "0.0.0.0"
      },
      {
        "domain": "mail",
        "ip": "0.0.0.0"
      },
      {
        "domain": "autoconfig",
        "ip": "0.0.0.0"
      },
      {
        "domain": "autodiscover",
        "ip": "0.0.0.0"
      }
    }
}
400 Bad Request 
{
    "error": "Bad Request"
}
401 Unauthorized 
{
    "error": "API Key is invalid"
}
403 Forbidden 
{
    "error": "Forbidden Request"
}
429 Too Many Requests 
{
    "error": "Rate limit exceeded"
}

Troubleshooting

Common Error Codes

  • 400 Bad Request. Could not scan target URL.
  • 401 Invalid or missing API key.
  • 403 Insufficient permissions (use correct API).
  • 429 Too many Requests. Rate limit exceeded.