Skip to content

Your First Scan

The fastest way to try VulnAPI is with vulnapi scan curl. It works like curl — point it at any HTTP endpoint and it immediately starts testing for vulnerabilities.

Terminal window
vulnapi scan curl https://api.example.com/endpoint

That’s it. VulnAPI sends a series of crafted requests to the endpoint and prints a report.

Most real APIs require authentication. Pass an Authorization header the same way you would with curl:

Terminal window
vulnapi scan curl https://api.example.com/endpoint \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..."

You can repeat -H for additional headers (API keys, custom headers, etc.):

Terminal window
vulnapi scan curl https://api.example.com/endpoint \
-H "Authorization: Bearer <token>" \
-H "X-API-Key: <key>"

Use -X to set the HTTP method and -d to send a request body:

Terminal window
vulnapi scan curl https://api.example.com/login \
-X POST \
-d '{"username":"alice","password":"secret"}' \
-H "Content-Type: application/json"

After the scan completes, VulnAPI prints a table like this:

| OPERATION | RISK LEVEL | CVSS 4.0 SCORE | OWASP | VULNERABILITY |
|-----------------------------|------------|----------------|--------------------------|-----------------------------|
| GET /endpoint | High | 9.3 | API2:2023 Broken Auth | JWT Token is not verified |
| GET /endpoint | Medium | 5.1 | API8:2023 Security Misc | X-Frame-Options is missing |
| GET /endpoint | Info | 0.0 | API8:2023 Security Misc | HSTS Header is missing |
ColumnWhat it means
OPERATIONThe HTTP method and path that was tested
RISK LEVELSeverity: Info / Low / Medium / High / Critical
CVSS 4.0 SCORENumeric score from 0.0 to 10.0
OWASPThe OWASP API Security Top 10 category
VULNERABILITYA short description of the finding

A scan with no rows in the vulnerability table means VulnAPI found nothing with a CVSS score above the default threshold of 1.0. This is a good sign, but not a guarantee — VulnAPI tests for a specific set of known vulnerabilities.