Skip to content

Scan IDs Reference

Use scan IDs with --scans and --exclude-scans flags to filter which checks VulnAPI runs.

Terminal window
# Run only JWT checks
vulnapi scan curl https://api.example.com -H "Authorization: Bearer <token>" --scans jwt.alg_none
# Run all JWT checks using a wildcard
vulnapi scan curl ... --scans "jwt.*"
# Exclude all discovery checks
vulnapi scan curl ... --exclude-scans "discover.*"
Scan IDNameOWASPCVSS
jwt.alg_noneJWT Accepts alg: noneAPI2:2023High
jwt.blank_secretJWT Signed With Blank SecretAPI2:2023High
jwt.weak_secretJWT Signed With Weak SecretAPI2:2023High
jwt.kid_injectionJWT KID Header Injection (SQL injection & path traversal)API2:20239.3
jwt.not_verifiedJWT Signature Not VerifiedAPI2:20239.3
jwt.null_signatureJWT Null SignatureAPI2:2023High
generic.accept_unauthenticated_operationEndpoint Accepts Unauthenticated RequestsAPI2:20239.3
Scan IDNameOWASPCVSS
misconfiguration.http_headersSecurity Response Headers MissingAPI8:2023Info–Medium
misconfiguration.http_cookiesCookie Security Flags MisconfiguredAPI8:20230.0
misconfiguration.http_traceHTTP TRACE Method EnabledAPI8:2023Info
misconfiguration.http_trackHTTP TRACK Method EnabledAPI8:2023Info
misconfiguration.http_method_overrideHTTP Method Override Headers AcceptedAPI8:2023Info–High
Scan IDNameOWASPCVSS
graphql.introspection_enabledGraphQL Introspection EnabledAPI8:2023Low

Discovery scans run automatically with vulnapi discover commands. They can also be included/excluded on scan commands.

Scan IDNameDescription
discover.apiAPI FingerprintDetects framework, language, and server from response headers
discover.well_known_pathsWell-Known Path DiscoveryChecks for OpenAPI, GraphQL, and other common paths
discover.domainDomain DiscoveryCommon subdomain patterns and reverse DNS lookup

HTTP Security Headers (sub-checks of misconfiguration.http_headers)

Section titled “HTTP Security Headers (sub-checks of misconfiguration.http_headers)”

The misconfiguration.http_headers scan covers multiple individual header checks. You can exclude the parent scan ID to skip all of them.

HeaderRisk
Content-Security-PolicyMedium
X-Frame-OptionsMedium
X-Content-Type-OptionsInfo
Strict-Transport-SecurityInfo
Access-Control-Allow-Origin (CORS)Medium
Server signature leakInfo
Section titled “Cookie Security (sub-checks of misconfiguration.http_cookies)”

The misconfiguration.http_cookies scan covers five individual cookie flag checks:

Check IDDescriptionCWE
security_misconfiguration.http_cookies_not_http_onlyCookie accessible via JavaScript (XSS risk)CWE-1004
security_misconfiguration.http_cookies_not_secureCookie transmitted over HTTPCWE-614
security_misconfiguration.http_cookies_same_site_noneSameSite=None allows cross-site requestsCWE-1275
security_misconfiguration.http_cookies_without_same_siteSameSite attribute not setCWE-1275
security_misconfiguration.http_cookies_without_expiresSession cookie never expiresCWE-613