API
#API# The API can be used for tool development and automation.
##API Authentication## After creating an admin account, navigate to the Admin model in the Sleepy Puppy UI and copy the token. You will need the token to perform any API requests.
You MUST send the token as a header in each request (except the puppyscript_loader endpoint). Every API call must have the following header in the request:
Token: <your token here>
Here is an example for creating a new Assessment:
POST /api/assessments HTTP/1.1
Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12
Content-Type: application/json
Content-Length: 29
{"name": "My eComm Assessment"}
##Assessment API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/assessments | Retrieve a list of assessments |
| GET | http://[hostname]/api/assessments/[id] | Retrieve a specific assessment |
| POST | http://[hostname]/api/assessments | Create a new assessment |
| PUT | http://[hostname]/api/assessments/[id] | Update a specific assessment |
| DELETE | http://[hostname]/api/assessments/[id] | Delete an assessment |
JSON parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | integer | True (For PUT/GET/DELETE | id field for PUT/GET/DELETE requests |
| name | string | True | The application or assessment identifier |
| snooze | boolean | False | Stop captures and/or generic collector for this assessment |
| run_once | boolean | False | Collect a capture and/or generic collector for each payload only once for this assessment |
| access_log_enabled | boolean | False | Record access log requests for any payload accessed for this assessment |
| Here is an example to create a new Assessment using curl: |
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X POST -d '{"name": "eCommerce API Review"}' https://127.0.0.1:443/api/assessments##Puppyscript Loader API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/puppyscript_loader/ | Retrieve an ordered list of PuppyScripts associated with a Payload |
Here is an example to retrieve a list of PuppyScripts for a Payload using curl:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/puppyscript_loader/1##Puppyscript API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/puppyscript | Retrieve a list of PuppyScripts |
| GET | http://[hostname]/api/puppyscript/[id] | Retrieve a specific PuppyScript |
| POST | http://[hostname]/api/puppyscript | Create a new PuppyScript |
| PUT | http://[hostname]/api/puppyscript/[id] | Update a specific PuppyScript |
| DELETE | http://[hostname]/api/payloads/[id] | Delete a PuppyScript |
JSON parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | integer | True (For PUT/GET/DELETE | id field for PUT/GET/DELETE requests |
| name | string | True | The name of the PuppyScript |
| code | string | False | The PuppyScript code (ensure you have newline/carriage returns where appropriate) |
| notes | string | False | Notes on the PuppyScript |
Here is an example to retrieve a specific PuppyScript using curl:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/puppyscript/1##Assessment Payloads API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/assessment_payloads/[assessment_id] | Retrieve a list of Payloads for an Assessment |
Here is an example to retrieve a list of Payloads for an Assessment using curl:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/assessment_payloads/1##Payload API## Currently the payload API does not support adding or changing PuppyScripts. If you create a payload through the API, the default PuppyScript will be used.
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/payloads | Retrieve a list of payloads |
| GET | http://[hostname]/api/payloads/[id] | Retrieve a specific payload |
| POST | http://[hostname]/api/payloads | Create a new payload |
| PUT | http://[hostname]/api/payloads/[id] | Update a specific payload |
| DELETE | http://[hostname]/api/payloads/[id] | Delete a payload |
JSON parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | integer | True (For PUT/GET/DELETE | id field for PUT/GET/DELETE requests |
| payload | string | True | The injection string. Can also use $1 as placeholder for payload |
| notes | string | False | Notes on the payload |
Here is an example to retrieve a specific payload using curl:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/payloads/1Here is an example JSON body you can send to generate a new payload:
POST Request
{
"payload": "<script src=$1></script>",
"notes": "somenotes"
}
POST Response
HTTP/1.0 201 CREATED
Content-Type: application/json
Content-Length: 200
Date: Tue, 04 Feb 2014 00:30:14 GMT
{
"id": 3,
"puppyscripts": [
"Default"
],
"notes": "somenotes",
"payload": "<script src=$1></script>"
}
##Capture API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/captures | Retrieve a list of Captures |
| GET | http://[hostname]/api/captures/[id] | Retrieve a specific Capture |
| DELETE | http://[hostname]/api/captures/[id] | Delete a Capture |
Here is a curl example to get a specific Capture based on id:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/captures/1
##Generic Collector API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/generic_collector | Retrieve a list of Generic Collections |
| GET | http://[hostname]/api/generic_collector/[id] | Retrieve a Generic Collection |
| DELETE | http://[hostname]/api/generic_collector/[id] | Delete a Generic Collection |
Here is a curl example to get a specific Generic Collection based on id:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/generic_collection/1
##Access Log API##
API Calls
| HTTP Method | URI | ACTION |
|---|---|---|
| GET | http://[hostname]/api/access_log | Retrieve a list of the Access Log |
| GET | http://[hostname]/api/access_log/[id] | Retrieve a specific Access Log |
| DELETE | http://[hostname]/api/access_log/[id] | Delete an Access Log |
Here is a curl example to get a specific Access Log based on id:
curl -v -H "Content-Type: application/json" -H "Token: 7bf26bd2a9782a3a3422b6abb5c2d0ebe58999a984bf0bcf8197f56f84f0c878cfd37c76c0339b12" -X GET https://127.0.0.1:443/api/access_log/1