Skip to content
RK edited this page Sep 16, 2015 · 7 revisions

#API# The API can be used for tool development and automation.

##API Authentication## After creating an admin account, navigate to the Admin model in the Sleepy Puppy UI and copy the token. You will need the token to perform any API requests.

Token

You MUST send the token as a header in each request (except the puppyscript_loader endpoint). Every API call must have the following header in the request:

Token: <your token here>

Here is an example for creating a new Assessment:

POST /api/assessments HTTP/1.1
Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12
Content-Type: application/json
Content-Length: 29


{"name": "My eComm Assessment"}

##Assessment API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/assessments Retrieve a list of assessments
GET http://[hostname]/api/assessments/[id] Retrieve a specific assessment
POST http://[hostname]/api/assessments Create a new assessment
PUT http://[hostname]/api/assessments/[id] Update a specific assessment
DELETE http://[hostname]/api/assessments/[id] Delete an assessment

JSON parameters

Parameter Type Required Description
id integer True (For PUT/GET/DELETE id field for PUT/GET/DELETE requests
name string True The application or assessment identifier
snooze boolean False Stop captures and/or generic collector for this assessment
run_once boolean False Collect a capture and/or generic collector for each payload only once for this assessment
access_log_enabled boolean False Record access log requests for any payload accessed for this assessment
Here is an example to create a new Assessment using curl:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X POST -d '{"name": "eCommerce API Review"}' https://127.0.0.1:443/api/assessments

##Puppyscript Loader API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/puppyscript_loader/ Retrieve an ordered list of PuppyScripts associated with a Payload

Here is an example to retrieve a list of PuppyScripts for a Payload using curl:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/puppyscript_loader/1

##Puppyscript API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/puppyscript Retrieve a list of PuppyScripts
GET http://[hostname]/api/puppyscript/[id] Retrieve a specific PuppyScript
POST http://[hostname]/api/puppyscript Create a new PuppyScript
PUT http://[hostname]/api/puppyscript/[id] Update a specific PuppyScript
DELETE http://[hostname]/api/payloads/[id] Delete a PuppyScript

JSON parameters

Parameter Type Required Description
id integer True (For PUT/GET/DELETE id field for PUT/GET/DELETE requests
name string True The name of the PuppyScript
code string False The PuppyScript code (ensure you have newline/carriage returns where appropriate)
notes string False Notes on the PuppyScript

Here is an example to retrieve a specific PuppyScript using curl:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/puppyscript/1

##Assessment Payloads API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/assessment_payloads/[assessment_id] Retrieve a list of Payloads for an Assessment

Here is an example to retrieve a list of Payloads for an Assessment using curl:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/assessment_payloads/1

##Payload API## Currently the payload API does not support adding or changing PuppyScripts. If you create a payload through the API, the default PuppyScript will be used.

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/payloads Retrieve a list of payloads
GET http://[hostname]/api/payloads/[id] Retrieve a specific payload
POST http://[hostname]/api/payloads Create a new payload
PUT http://[hostname]/api/payloads/[id] Update a specific payload
DELETE http://[hostname]/api/payloads/[id] Delete a payload

JSON parameters

Parameter Type Required Description
id integer True (For PUT/GET/DELETE id field for PUT/GET/DELETE requests
payload string True The injection string. Can also use $1 as placeholder for payload
notes string False Notes on the payload

Here is an example to retrieve a specific payload using curl:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET  https://127.0.0.1:443/api/payloads/1

Here is an example JSON body you can send to generate a new payload:

POST Request

{
    "payload": "<script src=$1></script>",
    "notes": "somenotes"
}

POST Response

HTTP/1.0 201 CREATED
Content-Type: application/json
Content-Length: 200
Date: Tue, 04 Feb 2014 00:30:14 GMT

{
     "id": 3,
    "puppyscripts": [
        "Default"
    ],
    "notes": "somenotes",
    "payload": "<script src=$1></script>"
}

##Capture API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/captures Retrieve a list of Captures
GET http://[hostname]/api/captures/[id] Retrieve a specific Capture
DELETE http://[hostname]/api/captures/[id] Delete a Capture

Here is a curl example to get a specific Capture based on id:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET  https://127.0.0.1:443/api/captures/1

##Generic Collector API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/generic_collector Retrieve a list of Generic Collections
GET http://[hostname]/api/generic_collector/[id] Retrieve a Generic Collection
DELETE http://[hostname]/api/generic_collector/[id] Delete a Generic Collection

Here is a curl example to get a specific Generic Collection based on id:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET  https://127.0.0.1:443/api/generic_collection/1

##Access Log API##

API Calls

HTTP Method URI ACTION
GET http://[hostname]/api/access_log Retrieve a list of the Access Log
GET http://[hostname]/api/access_log/[id] Retrieve a specific Access Log
DELETE http://[hostname]/api/access_log/[id] Delete an Access Log

Here is a curl example to get a specific Access Log based on id:

curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET  https://127.0.0.1:443/api/access_log/1