How to list findings
The vulnerabilities identified by scans on a target produce findings associated with that target. List these findings using pagination to manage and prioritize the vulnerability fixes and improve the target's security.
Step 1: List the findings (first page)
Start by listing the first page of the findings of a target. To do this, you can first list the targets in your account to select which target’s findings you want to list.
In this request, the target identifier is 2GQXX9RWDTeo
. The request also has a filter to return findings that are not fixed (state=notfixed
), which is a typical use case.
curl https://api.probely.com/targets/2GQXX9RWDTeo/findings/?state=notfixed
-X GET \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H "Content-Type: application/json"
The response returns the information on:
- The total number of findings (
”count”: 24
). - The total number of pages (
”page_total”: 3
). - The current page (
”page”: 1
). - The page size (
”length”: 10
). - The list of targets on the page (
”results”: [...]
), which only has findings that were not fixed ("state": "notfixed"
).
Please note that you will find some values truncated (ending with ...
) to facilitate reading because they were too long. However, the values will be complete in the response you will get.
{
"count": 24,
"page_total": 3,
"page": 1,
"length": 10,
"results": [
{
"id": 11,
"target": {
"id": "2GQXX9RWDTeo",
...
},
"scans": [
"2eYtm8wqiIaw",
"39fhzpXou5AS",
"3jEA8sZ2cEU2",
"42AEbBabitWZ",
"49VsM3ZAw2B6",
"4BmU0UXo6Dim",
"ss8GzkJTxZwe"
],
"labels": [],
"fix": "The application should be configured...",
"requests": [
{
"request": "```\nGET...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "\nWe made an HTTP request to...",
"extra": "",
"definition": {
"id": "0fR9GA5lgbo6",
"name": "Unencrypted communications",
"desc": "The application allows clients to..."
},
"url": "http://example.com/",
"path": "http://example.com/",
"method": "get",
"insertion_point": "",
"parameter": "",
"value": "",
"params": {},
"assignee": null,
"state": "notfixed",
"severity": 30,
"cvss_score": 7.4,
"cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"last_found": "2024-03-27T10:30:05.643856Z",
"retesting": false,
"new": false,
...
},
{
"id": 33,
"target": {
"id": "2GQXX9RWDTeo",
...
},
"scans": [
"3jEA8sZ2cEU2",
"49VsM3ZAw2B6",
"4BmU0UXo6Dim"
],
"labels": [],
"fix": "To fix an SQL Injection you should...",
"requests": [
{
"request": "```\nPOST...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "\n\nAs evidence that is possible...",
"extra": "",
"definition": {
"id": "xnV8PJVmSoLS",
"name": "SQL Injection",
"desc": "SQL Injections are the most common..."
},
"url": "http://example.com/bank/ccApply",
"path": "http://example.com/bank/ccApply",
"method": "post",
"insertion_point": "request_body",
"parameter": "passwd",
"value": "...",
"params": {
"passwd": [
"..."
],
"Submit": [
"Submit"
]
},
"assignee": null,
"state": "notfixed",
"severity": 30,
"cvss_score": 7.7,
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"last_found": "2024-03-27T09:56:19.772053Z",
"retesting": false,
"new": false,
...
},
...
]
}
Step 2: List the findings (second page)
Since the target has more findings to be fixed, you can list those findings on the second page by adding the page=2
query parameter.
curl https://api.probely.com/targets/2GQXX9RWDTeo/findings/?state=notfixed&page=2 \
-X GET \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H "Content-Type: application/json"
The response returns the second page (”page”: 2
) with the second set of findings in the results (”results”: [...]
).
Please note that you will find some values truncated (ending with ...
) to facilitate reading because they were too long. However, the values will be complete in the response you will get.
{
"count": 24,
"page_total": 3,
"page": 2,
"length": 10,
"results": [
{
"id": 3,
"target": {
"id": "2GQXX9RWDTeo",
...
},
"scans": [
"2eYtm8wqiHaw",
"39fhzpXou9AS",
"3jEv8sZ2cEU2",
"42AEbaabitWZ",
"49VsMRZAw2B6",
"4BmUsUXo6Dim",
"ss8GzkJuxZwe"
],
"labels": [],
"fix":"The correct prevention method is to...",
"requests": [
{
"request": "```\nGET...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "The following line(s) includes...",
"extra": "",
"definition": {
"id": "N9V9hJ_GnlKp",
"name": "Reflected cross-site scripting",
"desc": "A reflected cross-site scripting (XSS)..."
},
"url": "http://example.com/search.jsp",
"path": "http://example.com/search.jsp",
"method": "get",
"insertion_point": "parameter",
"parameter": "query",
"value": "...",
"params": {},
"assignee": null,
"state": "notfixed",
"severity": 30,
"cvss_score": 6.1,
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"last_found": "2024-03-27T09:55:40.454077Z",
"retesting": false,
"new": false,
...
},
{
"id": 4,
"target": {
"id": "2GQXX9RWDTeo",
...
},
"scans": [
"2eYtm8wqiHaw",
"39fhzpXou9AS",
"3jEv8sZ2cEU2",
"42AEbaabitWZ",
"49VsMRZAw2B6",
"4BmUsUXo6Dim",
"ss8GzkJuxZwe"
],
"labels": [],
"fix":"The correct prevention method is...",
"requests": [
{
"request": "```\nPOST...```",
"response": "```\nHTTP/1.1 200 OK...```"
}
],
"evidence": "The following line(s) includes...",
"extra": "",
"definition": {
"id": "N9V9hJ_GnlKp",
"name": "Reflected cross-site scripting",
"desc": "A reflected cross-site scripting (XSS)..."
},
"url": "http://example.com/sendFeedback",
"path": "http://example.com/sendFeedback",
"method": "post",
"insertion_point": "parameter",
"parameter": "name",
"value": "...",
"params": {
...
},
"assignee": null,
"state": "notfixed",
"severity": 30,
"cvss_score": 6.1,
"cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"last_found": "2024-03-27T09:55:38.104823Z",
"retesting": false,
"new": false,
...
},
...
]
}
Change the page number to move on to other pages with findings.
You can use other query parameters to adjust the pagination or to filter findings according to your needs. For example, you can add a filter (severity=30
) to narrow the list of findings to the ones with a high risk, since they are more important to analyze and fix. Check the API reference documentation on List Target’s Findings for more details.