API Reference

Templates API

Manage vulnerability and executive summary templates with the PentestPad API

Overview

The Templates API provides complete CRUD operations for managing both vulnerability templates and executive summary templates. You can create, read, update, delete templates, and perform bulk operations like CSV imports.

Key Features:

  • Flexible CSV Import: Case-insensitive headers and automatic detection of extra fields
  • Custom Fields: Any unknown CSV columns are automatically stored as extra fields
  • Standard Field Support: All common vulnerability template fields supported
  • Relationship Management: Automatic handling of categories and project type assignments

Vulnerability Templates API

Vulnerability templates are reusable finding templates that can be used to quickly create findings in projects.

List Vulnerability Templates

Get all vulnerability templates.

GET /api/v1/templates/vulnerabilities

Response:

{
  "success": true,
  "data": [
    {
      "id": 15,
      "title": "SQL Injection Template",
      "description": "Template for SQL injection vulnerabilities",
      "impact": "High",
      "probability": "Medium",
      "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "cvss_score": 8.1,
      "poc": "1. Navigate to vulnerable parameter\n2. Inject SQL payload\n3. Observe database error",
      "risks": "Data breach, authentication bypass",
      "remediation": "Use parameterized queries",
      "categories": [
        {
          "id": 1,
          "name": "Injection Attacks"
        }
      ],
      "created_at": "2024-03-15T10:30:00Z"
    }
  ],
  "total": 1
}

Get Vulnerability Template

Get a specific vulnerability template.

GET /api/v1/templates/vulnerabilities/{template_id}

Response:

{
  "success": true,
  "data": {
    "id": 15,
    "title": "SQL Injection Template",
    "description": "Comprehensive template for SQL injection vulnerabilities",
    "impact": "High",
    "probability": "Medium",
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "cvss_score": 8.1,
    "poc": "1. Identify injection point\n2. Test with basic payloads\n3. Exploit with advanced techniques",
    "risks": "Complete database compromise, data exfiltration, authentication bypass",
    "remediation": "1. Use parameterized queries\n2. Implement input validation\n3. Apply principle of least privilege",
    "extra_fields": {
      "cwe_id": "CWE-89",
      "owasp_category": "A03:2021"
    },
    "categories": [
      {
        "id": 1,
        "name": "Injection Attacks"
      }
    ],
    "project_types": [
      {
        "id": 1,
        "name": "Web Application"
      }
    ],
    "created_at": "2024-03-15T10:30:00Z",
    "updated_at": "2024-03-15T11:45:00Z"
  }
}

Create Vulnerability Template

Create a new vulnerability template.

POST /api/v1/templates/vulnerabilities

Request Body:

{
  "title": "Cross-Site Scripting (XSS) Template",
  "description": "Template for XSS vulnerabilities",
  "impact": "Medium",
  "probability": "High",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
  "cvss_score": 6.1,
  "poc": "1. Find reflection point\n2. Test with basic XSS payload\n3. Bypass filters if present",
  "risks": "Session hijacking, credential theft, malicious content injection",
  "remediation": "1. Implement proper output encoding\n2. Use Content Security Policy\n3. Validate all user input",
  "extra_fields": {
    "cwe_id": "CWE-79",
    "owasp_category": "A03:2021"
  },
  "categories": [2, 3],
  "project_types": [1]
}

Update Vulnerability Template

Update an existing vulnerability template.

PUT /api/v1/templates/vulnerabilities/{template_id}

Delete Vulnerability Template

Delete a vulnerability template.

DELETE /api/v1/templates/vulnerabilities/{template_id}

Import Vulnerability Templates from CSV

Import multiple vulnerability templates from a CSV file.

POST /api/v1/templates/vulnerabilities/import-csv

Request:

  • Content-Type: multipart/form-data
  • Body: Form data with file field containing the CSV file

Response:

{
  "success": true,
  "message": "CSV import completed. 5 templates imported, 1 errors.",
  "data": {
    "success_count": 5,
    "error_count": 1,
    "errors": [
      {
        "row": 3,
        "error": "Invalid impact level: extreme",
        "data": {...}
      }
    ],
    "imported_templates": [
      {
        "row": 2,
        "id": 16,
        "title": "SQL Injection Template"
      }
    ]
  }
}

Get Vulnerability Templates CSV Field Mapping

Get information about the required CSV format for vulnerability templates.

GET /api/v1/templates/vulnerabilities/csv/field-mapping

Response:

{
  "success": true,
  "data": {
    "field_mapping": {
      "title": "Template title/name",
      "description": "Detailed description of the vulnerability",
      "impact": "Impact level (Informational|Low|Medium|High|Critical)",
      "probability": "Probability level (Informational|Low|Medium|High|Critical)",
      "cvss": "CVSS vector string",
      "cvss_score": "CVSS score (0-10)",
      "poc": "Proof of concept steps",
      "risks": "Risk assessment and business impact",
      "remediation": "Remediation steps and recommendations",
      "categories": "Comma-separated vulnerability category IDs",
      "project_types": "Comma-separated project type IDs",
      "extra_fields": "JSON object with custom fields"
    },
    "sample_csv": "title,impact,probability,description,poc,risks,remediation,cvss,cvss_score,categories,project_types,extra_fields\n..."
  }
}

Vulnerability Templates CSV Format

The CSV import system is flexible and case-insensitive, supporting multiple field name formats and automatic detection of extra fields.

Required Fields:

  • title (case-insensitive: Title, TITLE, etc.) - Template name

Standard Fields (all optional and case-insensitive):

  • description - Detailed description
  • impact - Impact level: Informational, Low, Medium, High, Critical
  • probability - Probability level: Informational, Low, Medium, High, Critical
  • cvss - CVSS vector string
  • cvss_score (or cvss score) - CVSS score (0-10)
  • poc (or proof of concept) - Proof of concept steps
  • risks - Risk assessment
  • remediation - Remediation guidance
  • http_excerpts (or http excerpts) - HTTP request/response examples
  • categories - Comma-separated category IDs
  • project_types (or project types) - Comma-separated project type IDs

Extra Fields (automatic detection): Any field not in the standard list above will be automatically stored in the extra_fields JSON column. This includes:

  • Custom fields like References, CWE_ID, OWASP_Category
  • Fields defined in your PentestPad instance's extra fields configuration
  • Any other custom columns you add to your CSV

Case-Insensitive Support: All field names are matched case-insensitively. These all work the same way:

title,description,impact          ✓
Title,Description,Impact          ✓
TITLE,DESCRIPTION,IMPACT          ✓
Title,description,IMPACT          ✓

Sample CSV with Extra Fields:

title,description,impact,probability,cvss,poc,risks,remediation,References,CWE_ID,categories,project_types
"SQL Injection Template","SQL injection vulnerability template",High,Medium,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","1. Find injection point\n2. Test payloads\n3. Exploit database","Data breach, authentication bypass","Use parameterized queries","https://owasp.org/www-community/attacks/SQL_Injection","CWE-89","1,2","1"
"XSS Template","Cross-site scripting template",Medium,High,"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","1. Find reflection\n2. Test XSS payload","Session hijacking, data theft","Implement output encoding","https://owasp.org/www-community/attacks/xss/","CWE-79","2,3","1"

How Extra Fields Work:

  • References and CWE_ID columns will be automatically stored in the extra_fields JSON
  • The resulting template will have: {"References": "https://owasp.org/...", "CWE_ID": "CWE-89"}
  • No need to manually format as JSON - the system handles this automatically

Executive Summary Templates API

Executive summary templates are used for generating executive summaries in reports.

List Executive Summary Templates

Get all executive summary templates.

GET /api/v1/templates/executive

Response:

{
  "success": true,
  "data": [
    {
      "id": 5,
      "name": "Standard Web App Assessment",
      "content": "This executive summary provides an overview of the security assessment conducted on the web application...",
      "template_type": "executive_summary",
      "project_types": [
        {
          "id": 1,
          "name": "Web Application"
        }
      ],
      "created_at": "2024-03-15T10:30:00Z"
    }
  ],
  "total": 1
}

Get Executive Summary Template

Get a specific executive summary template.

GET /api/v1/templates/executive/{template_id}

Create Executive Summary Template

Create a new executive summary template.

POST /api/v1/templates/executive

Request Body:

{
  "name": "Mobile App Assessment Summary",
  "content": "This executive summary outlines the security assessment findings for the mobile application...",
  "template_type": "executive_summary",
  "project_types": [2]
}

Update Executive Summary Template

Update an existing executive summary template.

PUT /api/v1/templates/executive/{template_id}

Delete Executive Summary Template

Delete an executive summary template.

DELETE /api/v1/templates/executive/{template_id}

Import Executive Summary Templates from CSV

Import multiple executive summary templates from a CSV file.

POST /api/v1/templates/executive/import-csv

Request:

  • Content-Type: multipart/form-data
  • Body: Form data with file field containing the CSV file

Get Executive Summary Templates CSV Field Mapping

Get information about the required CSV format for executive summary templates.

GET /api/v1/templates/executive/csv/field-mapping

Executive Summary Templates CSV Format

Required Fields:

  • name - Template name
  • content - Executive summary content

Optional Fields:

  • template_type - Template type (defaults to "executive_summary")
  • project_types - Comma-separated project type IDs

Sample CSV:

name,content,template_type,project_types
"Web Application Executive Summary","This executive summary provides a comprehensive overview of the web application security assessment...","executive_summary","1"
"Mobile App Executive Summary","This summary outlines the security posture of the mobile application...","executive_summary","2"
"Network Assessment Summary","The network penetration test revealed several critical vulnerabilities...","executive_summary","3"

Examples

Import Vulnerability Templates with Standard Fields

curl -X POST \
  -H "Authorization: Bearer your_api_key" \
  -F "file=@vulnerability_templates.csv" \
  https://your-instance.pentestpad.com/api/v1/templates/vulnerabilities/import-csv

Example CSV file (vulnerability_templates.csv):

title,description,impact,probability,cvss,poc,risks,remediation,categories,project_types
"SQL Injection","SQL injection in login form",High,Medium,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","1. Go to /login\n2. Enter ' OR 1=1 --","Database compromise","Use prepared statements","1,2","1"
"XSS Vulnerability","Reflected XSS in search",Medium,High,"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","1. Enter <script>alert(1)</script>","Session hijacking","Sanitize input","2,3","1"

Import with Extra Fields (Automatic Detection)

Example CSV with custom fields:

Title,Description,Impact,References,CWE_ID,OWASP_Category,Custom_Field,categories
"SQL Injection Template","SQL injection vulnerability",High,"https://owasp.org/www-community/attacks/SQL_Injection","CWE-89","A03:2021 - Injection","Custom Value","1,2"
"XSS Template","Cross-site scripting vulnerability",Medium,"https://owasp.org/www-community/attacks/xss/","CWE-79","A03:2021 - Injection","Another Value","2,3"

Result: The References, CWE_ID, OWASP_Category, and Custom_Field columns will be automatically stored in the extra_fields JSON:

{
  "extra_fields": {
    "References": "https://owasp.org/www-community/attacks/SQL_Injection",
    "CWE_ID": "CWE-89",
    "OWASP_Category": "A03:2021 - Injection",
    "Custom_Field": "Custom Value"
  }
}

Case-Insensitive Headers Example

All these CSV formats will work identically:

# Lowercase
title,description,impact,proof of concept
"SQL Injection","Description here",High,"PoC steps"

# Title Case
Title,Description,Impact,Proof Of Concept
"SQL Injection","Description here",High,"PoC steps"

# Mixed Case
TITLE,description,IMPACT,poc
"SQL Injection","Description here",High,"PoC steps"

Import Executive Summary Templates

curl -X POST \
  -H "Authorization: Bearer your_api_key" \
  -F "file=@executive_templates.csv" \
  https://your-instance.pentestpad.com/api/v1/templates/executive/import-csv

Get Field Mapping Information

# Vulnerability templates field mapping
curl -H "Authorization: Bearer your_api_key" \
     https://your-instance.pentestpad.com/api/v1/templates/vulnerabilities/csv/field-mapping

# Executive summary templates field mapping
curl -H "Authorization: Bearer your_api_key" \
     https://your-instance.pentestpad.com/api/v1/templates/executive/csv/field-mapping

JavaScript Example with Error Handling

// Import vulnerability templates with flexible CSV
const formData = new FormData();
formData.append('file', csvFile);

try {
  const importResult = await fetch('/api/v1/templates/vulnerabilities/import-csv', {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer your_api_key'
    },
    body: formData
  }).then(r => r.json());

  console.log(`✅ Imported ${importResult.data.success_count} templates`);

  if (importResult.data.error_count > 0) {
    console.log(`⚠️ ${importResult.data.error_count} errors occurred:`);
    importResult.data.errors.forEach(error => {
      console.log(`Row ${error.row}: ${error.message}`);
    });
  }

  // Show successfully imported templates
  importResult.data.imported_templates.forEach(template => {
    console.log(`✓ Row ${template.row}: ${template.title}`);
  });

} catch (error) {
  console.error('Import failed:', error);
}

Response Examples

Successful Import:

{
  "success": true,
  "message": "CSV import completed. 2 vulnerability templates imported, 0 errors.",
  "data": {
    "success_count": 2,
    "error_count": 0,
    "errors": [],
    "imported_templates": [
      {
        "row": 2,
        "uuid": "123e4567-e89b-12d3-a456-426614174000",
        "title": "SQL Injection Template"
      },
      {
        "row": 3,
        "uuid": "987fcdeb-51a2-43d7-8765-987654321000",
        "title": "XSS Template"
      }
    ]
  }
}

Import with Errors:

{
  "success": true,
  "message": "CSV import completed. 1 vulnerability templates imported, 1 errors.",
  "data": {
    "success_count": 1,
    "error_count": 1,
    "errors": [
      {
        "row": 3,
        "message": "Invalid impact value. Must be one of: Informational, Low, Medium, High, Critical",
        "data": ["XSS Template", "Description", "Extreme", ...]
      }
    ],
    "imported_templates": [
      {
        "row": 2,
        "uuid": "123e4567-e89b-12d3-a456-426614174000",
        "title": "SQL Injection Template"
      }
    ]
  }
}

Template Usage

Templates created via this API can be used to:

  1. Create Findings - Use vulnerability templates to quickly create findings in projects
  2. Generate Reports - Use executive summary templates in report generation
  3. Standardize Process - Ensure consistency across different projects and team members

Permissions

Permissions

  • Clients cannot create, update, or delete templates
  • Pentesters can view and use templates
  • Managers can manage templates in their team's scope
  • Admins can manage all templates

Findings API

Comprehensive vulnerability management with the PentestPad Findings API

CSV Import API

Bulk import findings from CSV files using the PentestPad API

On this page

OverviewVulnerability Templates APIList Vulnerability TemplatesGet Vulnerability TemplateCreate Vulnerability TemplateUpdate Vulnerability TemplateDelete Vulnerability TemplateImport Vulnerability Templates from CSVGet Vulnerability Templates CSV Field MappingVulnerability Templates CSV FormatExecutive Summary Templates APIList Executive Summary TemplatesGet Executive Summary TemplateCreate Executive Summary TemplateUpdate Executive Summary TemplateDelete Executive Summary TemplateImport Executive Summary Templates from CSVGet Executive Summary Templates CSV Field MappingExecutive Summary Templates CSV FormatExamplesImport Vulnerability Templates with Standard FieldsImport with Extra Fields (Automatic Detection)Case-Insensitive Headers ExampleImport Executive Summary TemplatesGet Field Mapping InformationJavaScript Example with Error HandlingResponse ExamplesTemplate UsagePermissions