Skip to content

API Endpoints

Jump to bottom
CommonHuman-Lab edited this page Feb 24, 2026 · 1 revision

Health & System

  • GET /health
    Check server health and tool availability.
  • GET /api/cache/stats
    Get cache statistics.
  • POST /api/cache/clear
    Clear the tool cache.
  • GET /api/telemetry
    Get system telemetry.

File Operations

  • POST /api/files/create
    Create a new file.
    Body: { "filename": "file.txt", "content": "data", "binary": false }
  • POST /api/files/modify
    Modify an existing file.
    Body: { "filename": "file.txt", "content": "data", "append": false }
  • DELETE /api/files/delete
    Delete a file or directory.
    Body: { "filename": "file.txt" }
  • GET /api/files/list
    List files in a directory.
    Query: ?directory=.

Payload Generation

  • POST /api/payloads/generate
    Generate large payloads for testing.
    Body: { "payload_type": "buffer", "size": 1024, "pattern": "A", "filename": "" }

Security Tools

  • POST /api/tools/nmap
    Run Nmap scan.
    Body: { "target": "host", "scan_type": "-sCV", "ports": "", "additional_args": "-T4 -Pn" }
  • POST /api/tools/gobuster
    Run Gobuster directory scan.
    Body: { "url": "http://site", "mode": "dir", "wordlist": "/usr/share/wordlists/dirb/common.txt", "additional_args": "" }
  • POST /api/tools/nikto
    Run Nikto web server scan.
    Body: { "target": "http://site", "additional_args": "" }
  • POST /api/tools/ffuf
    Run FFUF web fuzzer.
    Body: { "url": "http://site/FUZZ", "wordlist": "/usr/share/wordlists/dirb/common.txt", "mode": "directory", "match_codes": "200,204,301,302,307,401,403", "additional_args": "" }
  • POST /api/tools/dirsearch
    Run Dirsearch path scanner.
    Body: { "url": "http://site", "additional_args": "" }
  • POST /api/tools/httpx
    HTTP probing and tech detection.
    Body: { "target": "http://site", "probe": true, "tech_detect": true, "status_code": true, "title": true, "additional_args": "" }

Vulnerability Scanning

  • POST /api/tools/nuclei
    Run Nuclei vulnerability scan.
    Body: { "target": "http://site", "severity": "", "tags": "", "template": "", "additional_args": "" }
  • POST /api/tools/sqlmap
    Run SQLMap SQL injection test.
    Body: { "url": "http://site", "data": "", "additional_args": "" }
  • POST /api/tools/dalfox
    Run Dalfox XSS scanner.
    Body: { "url": "http://site", "blind": false, "additional_args": "" }

OSINT

  • POST /api/tools/whois
    WHOIS lookup for domains and IPs.
    Body: { "target": "example.com" }
  • POST /api/tools/amass
    Subdomain enumeration.
    Body: { "domain": "example.com", "mode": "enum", "additional_args": "" }
  • POST /api/tools/subfinder
    Passive subdomain discovery.
    Body: { "domain": "example.com", "silent": true, "all_sources": false, "additional_args": "" }
  • POST /api/tools/fierce
    DNS reconnaissance.
    Body: { "domain": "example.com", "additional_args": "" }
  • POST /api/tools/dnsenum
    DNS enumeration and zone transfer.
    Body: { "domain": "example.com", "additional_args": "" }

Exploitation & Brute Force

  • POST /api/tools/metasploit
    Run Metasploit module.
    Body: { "module": "exploit/windows/smb/ms17_010_eternalblue", "options": {} }
  • POST /api/tools/hydra
    Network login brute-forcer.
    Body: { "target": "host", "service": "ssh", "username": "", "username_file": "", "password": "", "password_file": "", "additional_args": "" }
  • POST /api/tools/hashcat
    GPU-accelerated password cracker.
    Body: { "hash_file": "hashes.txt", "hash_type": "1000", "attack_mode": "0", "wordlist": "/usr/share/wordlists/rockyou.txt", "mask": "", "additional_args": "" }

Binary Analysis

  • POST /api/tools/gdb
    Run GDB analysis.
    Body: { "file": "binary", "commands": "", "additional_args": "" }
  • POST /api/tools/radare2
    Run Radare2 analysis.
    Body: { "file": "binary", "commands": "", "additional_args": "" }
  • POST /api/tools/binwalk
    Firmware analysis and extraction.
    Body: { "file": "firmware.bin", "additional_args": "" }

Cloud & Container Security

  • POST /api/tools/prowler
    AWS/Azure/GCP security audit.
    Body: { "provider": "aws", "profile": "default", "region": "", "checks": "", "additional_args": "" }
  • POST /api/tools/trivy
    Container and filesystem vulnerability scanner.
    Body: { "target": "image:latest", "scan_type": "image", "severity": "", "additional_args": "" }
  • POST /api/tools/kube-hunter
    Kubernetes penetration testing.
    Body: { "additional_args": "" }

Database Operations

  • POST /api/tools/mysql
    Query a MySQL/MariaDB database.
    Body:{ "host": "127.0.0.1", "user": "root", "password": "", "database": "testdb", "query": "SELECT * FROM users;" }
  • POST /api/tools/postgresql
    Query a PostgreSQL database.
    Body: { "host": "127.0.0.1", "user": "postgres", "password": "", "database": "testdb", "query": "SELECT * FROM users;" }
  • POST /api/tools/sqlite
    Query a SQLite database file.
    Body: { "db_path": "/path/to/test.db", "query": "SELECT * FROM users;" }

Example: WHOIS Lookup

curl -X POST http://127.0.0.1:8888/api/tools/whois \
  -H "Content-Type: application/json" \
  -d '{"target": "example.com"}'

Clone this wiki locally