The objective of this document is to define the REST API for w3af.

We're going to focus on delivering the most basic functionality: configure a scan, start, get status, pause, stop and read identified vulnerabilities. Any other features will be implemented in next versions.

Basic HTTP authentication will be required to access the API

There won't be any concept of users nor permissions. If the user has the credentials he'll have access to all the information.

Scan results will be removed each time you start a new scan, or shutdown the w3af_api process.

Before reading the list, please note that the methods might not be exposed one-to-one. In other words, there might be two or more methods listed below which are going to be called when accessing one REST API path.

• start
• stop
• pause

• set_plugin_options
• get_plugin_options
• get_all_enabled_plugins
• get_enabled_plugins
• set_plugins
• get_plugin_list

• get_status
• is_running
• is_paused
• get_run_time
• get_scan_time
• get_rpm

• set_options which is used to configure the scan target

• get
• get_all_known_urls
• get_all_known_fuzzable_requests
• get_all_vulns
• get_all_infos