scanDetail — Retrieving detailed scan results
The scanDetail method retrieves the detailed scan results.
This can be used to provide detailed scan results to the user through the partner’s dashboard.
The API endpoint is:
https://api.sitelock.com/v1/partnerRequest format
-
SiteLockOnlineRequest: This element is used to delineate the full API request.
-
authentication: The partner’s username, password, and branding
-
username: The partner’s API username
-
password: The partner’s API password
-
partner: (Optional) The brand name to use in messaging
-
-
scanDetail: The method name
-
site_id: The ID of the site for which to retrieve the scan details
-
scans: One or more of the following scans:
-
malware_scan: The Webpage Scan
-
sqli_scan: The SQL Injection Scan
-
xss_scan: The Cross-Site Scripting Scan
-
ssl_scan: The SSL Monitor
-
advisories: The Security Advisories Scan
-
risk_score: The Risk Score Scan
-
db_scan: The SMART Database Scan
-
id: [optional attribute] - A unique numerical identifier of the scan. If this attribute is present, the response will return the detailed results of the scan with that ID. Otherwise, the latest platform scan will be returned. You can get the ID from scanSummary.
-
-
platform_scan: The Platform Scan
-
id: [optional attribute] - A unique numerical identifier of the scan. If this attribute is present, the response will return the detailed results of the scan with that ID. Otherwise, the latest scan will be returned. If an invalid ID is present, the result is an empty set. To be valid, the ID must match the site for which this call is being made, and the site must belong to an account that belongs to this reseller. You can get the ID from scanSummary.
-
-
smart_scan: The SMART File Scan
-
id: [optional attribute] - A unique numerical identifier of the scan. If this attribute is present, the response will return the detailed results of the scan with that ID. Otherwise, the latest scan will be returned. If an invalid ID is present, the result is an empty set. To be valid, the ID must match the site for which this call is being made, and the site must belong to an account that belongs to this reseller. You can get the ID from scanSummary.
-
-
patchman_scan: The SMART Patch Scan
-
smart_scan_id: [optional attribute] - A unique numerical identifier of the scan. If this attribute is present, the response will return the detailed results of the scan with that ID. Otherwise, the latest scan will be returned. If an invalid ID is present, the result is an empty set. To be valid, the ID must match the site for which this call is being made, and the site must belong to an account that belongs to this reseller. You can get the ID from scanSummary.
-
-
-
-
Example request
<SiteLockOnlineRequest>
<authentication>
<user>Username</user>
<password>Password</password>
</authentication>
<scanDetail>
<site_id>10900</site_id>
<scans>
<malware_scan/>
<sqli_scan/>
<xss_scan/>
<ssl_scan/>
<advisories/>
<smart_scan id="99999"/>
<risk_score/>
<db_scan id="12345"/>
<platform_scan id="12345"/>
<patchman_scan smart_scan_id="12345"/>
</scans>
</scanDetail>
</SiteLockOnlineRequest>Response format
The successful response details:
-
scanDetail: This element has one or more child elements. Each of them corresponds to one of the
scanelements that you passed in into the request.-
account_id: [attribute] - The user’s account ID
-
site_id: [attribute] - The ID of the site
-
-
advisories: The results of the Security Advisories Scan
-
advisory: The details of an advisory
-
level: [attribute] - The urgency of the finding. The value is always
informationfor a security advisor. -
action: [attribute] - The ID of the message that provides the recommendation for what the user should do
-
description: [attribute] - The ID of the message that provides the description of the advisory
-
info: [attribute] - The detailed message regarding the user’s particular finding
This isn’t an ID to look up—it’s the full text of the message.
-
identifier: [attribute] - An internal SiteLock identifier/flag for this type of advisory
-
type: [attribute] - The category of the advisory
The following table lists the various combinations of type and identifier.
Type Identifier Explanation app
concrete5Detects app version
app
coppermineDetects app version
app
drupalDetects app version
app
galleryDetects app version
app
gbookDetects app version
app
joomlaDetects app version
app
mediawikiDetects app version
app
moodleDetects app version
app
oscommerceDetects app version
app
phpbbDetects app version
app
phpmyadminDetects app version
app
phpnukeDetects app version
app
smfDetects app version
app
sugarcrmDetects app version
app
wordpressDetects app version
app
zencartDetects app version
app
zenphotoDetects app version
info
dns_infoInformation on hostname
info
email_addressDetects email address in code (can be used by bots for spam)
info
server_infoCookies sites might be setting
info
server_infoPHP version
info
server_infoWeb server software
suspicious_content
endhtmlcontentLooks for content that may be appended to a page after closing HTML tags
suspicious_content
external_iframeNotes any iframes to external sources
suspicious_content
hiddenlinksNotes excessive use of links that may not show in a browser such as 0 height iframes/divs
suspicious_content
redirect_checkChecks for pages automatically redirecting to external sources
suspicious_content
shellscriptsShell scripts, which could run system-level commands on a site or server
suspicious_content
spamwordsDetects suspicious content such as blog spam
suspicious_content
urls_in_javascriptURLs detected only through JavaScript execution
data_security
insecure_formForms with sensitive fields that aren’t using HTTPS
data_security
phpcodePHP code detected which can breach code
-
-
-
malware_scan: The results of the Webpage Scan
-
last_scan: [attribute] - The date of the last scan in the
yyyy-mm-ddformat -
page: (Repeatable) The details of the scanned page
-
level: [attribute] - The urgency of the findings. The possible values are
information,notice, andcritical. -
url: [attribute] - The URL of the scanned page
-
malware: [attribute] - Specifies whether malware was found on the page. The possible values are
yesandno. -
link: (Repeatable) This element is present when a page contains a link to a malware site. Each malware link found on the page will have its own
linkelement. Thelinkelement has the following attributes:-
level: [attribute] - The urgency of the findings. The possible values are
information,notice, andcritical. -
malware: [attribute] - This element will always have the value
yes -
url: [attribute] - The malware link
-
malware_source: (Repeatable) Specifies who classified the link as a malware link.
-
goog_malware: Google’s list of sites that have malware content
-
goog_blacklist: Sites blacklisted by Google
-
phishtank: The list maintained by
phishtank.com -
sitelock: The list of malware sites maintained by SiteLock
-
sitelock_sig: SiteLock’s malware signature database
-
-
-
-
-
sqli_scan: The results of the SQL Injection Scan
-
last_scan: [attribute] - The date of the last scan in the
YYYY-MM-DDformat -
page: (Repeatable) The details of the scanned page
-
level: [attribute] - The urgency of the findings. The possible values are
information,notice, andcritical. -
url: [attribute] - The URL of the scanned page
-
sqli: [attribute] - Specifies whether an SQL injection vulnerability was found on the page. The possible values are
yesandno. -
sqli_info: This element is present when a page has an SQL injection vulnerability (the value of the
sqliattribute isyes).-
method:: [attribute] - The HTTP method name. The possible values for this are
GETandPOST. -
parameters: [attribute] - The exploited fields
-
type: : [attribute] - The type of the injection technique
-
-
-
-
ssl_scan: The results of the SSL Monitor
-
last_scan: [attribute] - The date of the last scan in the
YYYY-MM-DDformat -
hostname: [attribute] - The user’s domain name
-
level: [attribute] - The urgency of the findings. The possible values are
information,notice, andcritical. -
detail: [attribute] - The ID of the message which provides the findings. The possible values are:
-
ssl_cert_match: The Common Name and SAN of the SSL/TLS certificate match the hostname you provided us, no action needed.
-
cn_mismatch: The Common Name or SAN of the SSL/TLS certificate doesn’t match the hostname you provided us.
-
expired: The SSL/TLS certificate is expired.
-
expire_soon: The SSL/TLS certificate expires within the next month.
-
no_site: The domain name couldn’t be resolved.
-
connection_error: SiteLock couldn’t establish a connection to the website.
-
-
cert_cn: [attribute] - The Common Name of the certificate
-
expiration_date: [attribute] - The certificate’s expiry date
-
status: [attribute] - The status of the SSL/TLS protection. The possible values are
ok,warning, andcritical:-
When the value of
statusisok, thedetailelement will have the valuessl_cert_match. -
When the value of
statusiswarning, thedetailelement will have the valueconnection_error. -
When the value of
statusiscritical, thedetailelement will contain the description of the error.
-
-
-
xss_scan: The results of the Cross-Site Scripting Scan
-
last_scan: [attribute] - The date of the last scan in the
YYYY-MM-DDformat -
page: (Repeatable) The details of the scanned page
-
level: [attribute] - The urgency of the findings. The possible values are
information,notice, andcritical. -
url: [attribute] - The URL of the scanned page
-
xss: [attribute] - Specifies whether a cross-site scripting vulnerability was found on the page. The possible values are
yesandno. -
xss_info: [attribute] - The input field that can be exploited. This element is present when the value of
xssisyes.
-
-
-
smart_scan: The results of the SMART File Scan
-
num_added: [attribute] - The number of files that were added since the last file synchronization
-
num_cleaned: [attribute] - The number of files that were cleaned
-
num_deleted: [attribute] - The number of files that were deleted since the last file synchronization
-
num_files: [attribute] - The number of files that were processed
-
num_malicious: [attribute] - The number of files that were found to contain suspicious code
-
num_modified: [attribute] - The number of files that were modified since the last file synchronization
-
num_suspicious: [attribute] - The number of files that were found to contain suspicious code
-
scanned_date: [attribute] - The timestamp of scan completion
-
size_kb: [attribute] - The total size in KB of files that were processed
-
status: [attribute] - The compliance status of the scan
-
sync_status: [attribute] - The status of the file synchronization process
-
dirs: The directories found on the users’s FTP server during the scan
-
dir: (Repeatable) The scanned directory
-
name: [attribute] - The directory name
-
size: [attribute] - The total size of the directory in KB
-
-
-
exts: The file extensions found during the scan
-
ext: (Repeatable) The details of a file extension
-
name: [attribute] - The name of the extension
-
size: [attribute] - The total size of all files with this extension in KB
-
-
-
files: The files found during the scan
-
file: (Repeatable) The details of the scanned file
-
name: [attribute] - The name and location of the file
-
is_changed: [attribute] - Specifies whether the file was changed since the last scan. The possible values are
1and0. -
out_changed: [attribute] - Specifies whether SMART changed the file. The possible values are
1and0. -
in_changed: [attribute] - Specifies whether the user changed the file since the last scan. The possible values are
1and0. -
is_md5: [attribute] - Specifies whether the signature of the malware is stored as an MD5 hash as opposed to a string in the SiteLock malware database. The possible values are
1and0. -
in_del: [attribute] - Specifies whether the user deleted the file since the last scan. The possible values are
1and0. -
in_new: [attribute] - Specifies whether the user added this file since the last scan. The possible values are
1or0. -
has_diff: [attribute] - Specifies whether SiteLock saved a diff between the current and previous versions of the modified file. The possible values are
1and0. Use this flag to evaluate whether you can call the getSMARTFileDiff. -
not_fixed: [attribute] - Specifies whether the infected file was fixed. The possible values are
1and0. -
malware_found: [attribute] - Specifies whether malware was found in the file. The possible values are
1and0. -
unchanged: [attribute] - Specifies that there was an issue while committing a modified file. This is an internal SiteLock flag.
-
review: [attribute] - Specifies whether the potentially infected file is currently in review with the SiteLock malware team. The possible values are
1and0. -
malware_cleaned: [attribute] - Specifies whether SiteLock cleaned the malware. The possible values are
1and0. -
virus_ltr: [attribute] - An internal 1-4 character reference code inside the SiteLock malware database
-
-
-
-
patchman_scan: The results of the SMART Patch Scan
-
file: (Repeatable) The details of the scanned file
-
action: [attribute] - The action that was applied to the file. The possible values are
patchedandreverted. -
filename: [attribute] - The name and location of the file
-
patch_msg: [attribute] - The patch message
-
status: [attribute] - The file status. The possible values are
patchedandreverted. -
patch_ids: (Repeatable) The ID of the patch that was applied to the file
-
-
patches: (Repeatable) The details of the patch that was applied to the file
-
id: [attribute] - The ID of the patch
-
name: [attribute] - The name of the patch
-
category: [attribute] - The category of the patch
-
description: [attribute] - The description of the patch
-
-
risk_score: The results of the Risk Score Scan
-
contributors: A list of factors contributing to the site’s total risk score
-
contributor: (Repeatable) The details of the factor
-
title: The name of the factor
-
description: A detailed description of the factor and how it may pose a risk to the site, if any
-
identifier: The ID of the factor
-
influence: The impact of the factor on the risk score. The possible values are:
-
na: This factor doesn’t impact the risk score.
-
increase: This factor increased the risk score.
-
decrease: This factor decreased the risk score.
-
-
info: The location and content of the factor
-
page: (Repeatable) The page where the factor was found
-
url: The URL where the factor was found
-
value: The actual value of the factor
-
-
value: The value of the factor that wasn’t found in a URL or on page—for example, the value of an HTTP security header
-
-
-
-
details: The numerical scores for the primary areas that determine the overall risk score
-
website: The risk score determined by the structure of the website, including the software used to build the website, measured in 0-100%
-
popularity: The risk score determined by popularity of the website, including social media presence and visitor stats, measured in 0-100%
-
complexity: The risk score determined by the complexity of the website, including the page count, iframes, forms, and the number of software packages, measured in 0-100%
-
-
remediations: A list of recommendations to improve the site’s risk score
-
remediation: (Repeatable) A recommendation to improve the site’s risk score
-
-
risk_score: A simple numerical ranking of the overall site risk. The possible values are:
-
1: Low risk score
-
2: Medium risk score
-
3: High risk score
-
-
scanned_at: The date of the last scan in the
YYYY-MM-DDformat
-
-
platform_scan: The results of the Platform Scan
-
id: [attribute] - The ID of the scan
-
scanned_at: [attribute] - The date of the last scan in the
YYYY-MM-DDformat -
platform: The type of the platform the website runs on
-
name: [attribute] - The name of the platform
-
vulnerability: (Repeatable) The details of the vulnerability
-
category: [attribute] - The type of the vulnerability
-
description: [attribute] - A description of the vulnerability
-
severity: [attribute] - The severity of the vulnerability. The possible values are:
-
1: Low severity
-
2: Medium severity
-
3: High severity
-
4: Critical severity
-
5: Urgent severity
-
-
slvdb_id: [attribute] - The ID of the vulnerability
-
summary: [attribute] - A summary of the vulnerability description
-
version_certainty: [attribute] - The ability to determine the exact version of the platform
-
app: The platform or plugin where the vulnerability was found
-
name: [attribute] - The name of the platform or plugin
-
type: [attribute] - The type of the platform or plugin
-
version: [attribute] - The version of the platform or plugin
-
-
-
-
-
db_scan: The results of the SMART Database Scan
-
id: [attribute] - The ID of the scan
-
platform: [attribute] - The type of the platform the website runs on
-
prefix: [attribute] - The prefix of the platform database
-
scanned_date: [attribute] - The date of the last scan in the
YYYY-MM-DDformat -
page: (Repeatable) A set of records of specific type
-
type: [attribute] - The type of the results. The possible value are:
-
found: All vulnerabilities found during the last scan
-
fixed: All vulnerabilities fixed since the previous scan
-
failed: All vulnerabilities that couldn’t be fixed since the previous scan
-
-
table: The details of the scanned table
-
name: [attribute] - The name of the table
-
count: [attribute] - The number of records in the table
-
has_unique_idx: [attribute] - Specifies whether the database table has a unique index. The possible values are
1and0. -
finding_types: The types of the findings
-
finding_type: The details of a malware or spam issue type
-
count: [attribute] - The number of found issues of this type
-
type: [attribute] - The type of the issue. The possible values are
malware,spam_code, andspam_link.
-
-
-
records: A set of records where vulnerabilities were found during the scan
-
record: (Repeatable) The details of a malware or spam issue found during the scan
-
found_in: [attribute] - Specifies whether the record is found within the scan results. The possible values are
1and0. This is an internal SiteLock flag. -
record_id: [attribute] - The ID of the record from the table
-
finding: (Repeatable) The details of an issue
-
id: [attribute] -The ID of the finding
-
-
field_name: [attribute] - The name of the field from the table
-
finding_status: [attribute] - The status of the finding
-
scan_result_id: [attribute] - The ID of the scan
-
src: [attribute] - Base64 encoded data from the field
-
type: [attribute] - The type of the issue. The possible values are
malware,spam_code, andspam_link.
-
-
-
-
-
-
Example success response
<SiteLockOnlineResponse>
<scanDetail account_id="411844" site_id="10900">
<advisories>
<advisory level="information" action="advisory:action -urls_in_javascript" description="advisory:description - urls_in_javascript" identifier="urls_in_javascript" info="External Links in Javascript …" type="note" />
</advisories>
<malware_scan last_scan="2012-07-28">
<page malware="no" level="information" url="https://example.com">
<link malware="yes" url="https://example.com/" level="critical">
<malware_source>sitelock</malware_source>
</link>
<link malware="yes" url="https://example.com/i.php?" level="critical">
<malware_source>sitelock</malware_source>
<malware_source>goog_malware</malware_source>
</link>
</page>
<page malware="yes" url="https://example.com/abadpage.php" level="critical">
<malware_source>sitelock_sig</malware_source>
</page>
<page malware="no" url="https://example.com/news- details.php?News_ID%3D8" level="information" />
</malware_scan>
<sqli_scan last_scan="2012-07-28">
<page sqli="yes" url="https://example.com/news-details.php?News_ID%3D8" level="critical">
<sqli_info method="GET" parameters="News_ID" type="stringsingle" />
</page>
<page sqli="no" url="https://example.com" level="information" />
</sqli_scan>
<ssl_scan cert_cn="*.example.com" detail="ssl_cert_match" expiration_date="2014-07-31 18:59:59" hostname="www.example.com" last_scan="2012-08-30 14:56:06" level="information" status="critical" />
<xss_scan last_scan="2012-07-28">
<page url="https://example.com?%3D1%26s%3DSearch..." xss="yes" xss_info="s" level="critical"/>
<page url="https://example.com" xss="no" level="information"/>
<page url="https://example.com/abadpage.php" xss="no" level="information"/>
</xss_scan>
<smart_scan id="21425" num_added="22009" num_deleted="3" num_files="77680" num_modified="1314" scanned_date="2014-12-19 18:30:12" size_kb="3008604" status="warning" sync_status="complete">
<dirs>
<dir name="public_html/wp-includes" size="479943" />
<dir name="public_html/wp-content" size="31951011" />
<dir name="public_html/wp-admin" size="2089525" />
</dirs>
<exts>
<ext name="php" size="22745082" />
<ext name="js" size="27127509" />
<ext name="css" size="7111407" />
<ext name="html" size="169651" />
<ext name="jpg" size="913060" />
</exts>
<files>
<file name="wp-content/uploads/2012/07/ms14_064_ole_not_xp.html" has_diff="1" in_new="1" is_changed="1" is_md5="1" malware_found="1" out_changed="1" virus_ltr="dfzl" />
<file name="wp-content/uploads/2012/07/ms05_054_onload.html" in_new="1" malware_found="0" />
<file name="wp-admin/comment.php" in_changed="1" malware_found="0" />
<file name="wp-content/uploads/2012/07/eicar.html" in_new="1" malware_found="0" />
<file name="wp-content/uploads/2012/07/ms03_020_ie_objecttype.html" in_new="1" malware_found="0" />
<file name="wp-content/uploads/2012/07/excel-cmd.xls" has_diff="1" in_new="1" is_md5="1" is_changed="1" malware_found="1" out_changed="1" virus_ltr="dfzn" />
<file name="tmp/mysql_slow_queries/20120916-18.log" in_del="1" malware_found="0" />
</files>
</smart_scan>
<patchman_scan>
<file action="patch" filename="wp-content/plugins/wordpress-seo/admin/pages/tools.php" patch_msg="" status="patched">
<patch_ids>3681</patch_ids>
</file>
<patches name="patchman:name - 3681" category="XSS" description="patchman:description - 3681" id="3681" />
</patchman_scan>
<risk_score>
<contributors>
<contributor>
<description>Domain Name System (DNS) is a decentralized naming system used to translate your domain name into the numerical IP address of where your website is hosted.</description>
<identifier>dns_info</identifier>
<influence>na</influence>
<info>
<page>
<url>www.example.com</url>
<value>107.154.147.100</value>
</page>
<page>
<url>shop.example.com</url>
<value>108.179.226.25</value>
</page>
</info>
<title>Your site has the following DNS Information</title>
</contributor>
<contributor>
<description>An email address was found while scanning your site.</description>
<identifier>email_address</identifier>
<influence>increase</influence>
<info>
<page>
<url>https://shop.example.com/o6kbuor/nosjvcl.php?icdhadvpb=spider-alarms-at-walmart</url>
<value>[email protected]</value>
</page>
</info>
<title>E-mail Addresses found</title>
</contributor>
<contributor>
<description>We have detected the use of Secure Sockets Layer (SSL) certificates on your website. This helps to keep data secure between visitors and your site, build customer trust, and lower your overall security risk.</description>
<identifier>ssl</identifier>
<influence>na</influence>
<title>SSL found</title>
</contributor>
</contributors>
<details>
<complexity>4</complexity>
<popularity>3</popularity>
<website>93</website>
</details>
<remediations>
<remediation>We detected E-mail addresses on your site. There is no particular security concern here although you may wish to hide this information from spammers.</remediation>
</remediations>
<risk_score>1</risk_score>
<scanned_at>2012-07-28</scanned_at>
</risk_score>
<platform_scan id="43436222" scanned_at="2012-07-28">
<platform name="wordpress">
<vulnerability category="redirect" description="Open redirect attack possible on User and Term edit screens." severity="3" slvdb_id="3779" summary="WordPress 2.9.2-4.8.1 - Open Redirect" version_certainty="high">
<app name="wordpress" type="core" version="4.5.12" />
</vulnerability>
<vulnerability category="xss" description="Authenticated Stored Cross-Site Scripting vulnerability via Image Filename in WordPress versions 2.5 to 4.6 allows authenticated users to inject malicious code to the database." severity="3" slvdb_id="3583" summary="WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename" version_certainty="high">
<app name="wordpress" type="core" version="4.5.12" />
</vulnerability>
<vulnerability category="csrf" description="CSRF DoS vulnerability in WordPress versions 4.2 to 4.7.2 through the Press This functionality." severity="3" slvdb_id="3640" summary="WordPress 4.2-4.7.2 - Press This CSRF DoS" version_certainty="high">
<app name="wordpress" type="core" version="4.5.12" />
</vulnerability>
<vulnerability category="rce" description="Potential Remote Command Execution (RCE) in PHPMailer used in WordPress versions 4.3 to 4.7.1 can potentially be used to remotely execute commands." severity="2" slvdb_id="3591" summary="WordPress 4.3-4.7 - Potential Remote Command Execution (RCE) in PHPMailer" version_certainty="high"> +
<app name="wordpress" type="core" version="4.5.12" />
</vulnerability>
</platform>
</platform_scan>
<db_scan id="90" platform="wordpress" prefix="wp_" scanned_date ="2012-07-28">
<page type="fixed">
<table name="wp5_posts" count="36" has_unique_idx="1">
<finding_types>
<finding_type count="2" type="malware" />
</finding_types>
<records>
<record found_in="1" record_id="1063">
<finding id="546" field_name="post_content" finding_status="fixed" scan_result_id="8898" src="[clipped]" type="malware" />
</record>
<record found_in="1" record_id="5430">
<finding id="592" field_name="post_content" finding_status="fixed" scan_result_id="8935" src="[clipped]" type="malware" />
</record>
</records>
</table>
</page>
<page type="found">
<table name="wp5_posts" count="24" has_unique_idx="1">
<finding_types>
<finding_type count="1" type="malware" />
<finding_type count="2" type="spam_code" />
<finding_type count="1" type="spam_link" />
<finding_types>
<records>
<record found_in="1" record_id="1055">
<finding id="519" field_name="post_content" finding_status="found" scan_result_id="8897" src="[clipped]" type="spam_code" />
<finding id="541" field_name="post_content" finding_status="found" scan_result_id="8897" src="[clipped]" type="spam_code" />
</record>
<record found_in="1" record_id="5015">
<finding id="629" field_name="post_content" finding_status="found" scan_result_id="8905" src="[clipped]" type="malware" />
<finding id="711" field_name="post_content" finding_status="found" scan_result_id="8918" src="[clipped]" type="spam_link" />
</record>
</records>
</table>
</page>
</db_scan>
</scanDetail>
</SiteLockOnlineResponse>Example error response
<SiteLockOnlineResponse>
<error>bad account</error>
</SiteLockOnlineResponse>The error message will help to determine where the issue lies. A complete listing of error responses can be found in Error codes.