ScanMalware REST API Documentation
Complete API reference for integrating website security scanning into your applications
Getting Started
The ScanMalware API provides programmatic access to URL security scanning capabilities. All endpoints return JSON responses and use standard HTTP status codes.
🌐 Base URL
https://scanmalware.com🚀 Quick Example
curl -X POST "https://scanmalware.com/api/v1/scan" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'📖 Full Documentation Details
Rate Limits
Currently, there are no enforced rate limits, but please use the API responsibly.
Pagination
All search and listing endpoints support pagination to prevent database overload and improve performance. Pagination is implemented using page and limit parameters.
Paginated endpoints include:
/api/v1/recent- Recent scans/api/v1/search- Text search/api/v1/search/asn/{asn_number}- ASN search/api/v1/search/favicon/{hash_value}- Favicon hash search/api/v1/search/screenshot/{hash_type}/{hash_value}- Screenshot hash search/api/v1/search/fuzzy/{hash_type}- Fuzzy hash search/api/v1/search/similar- Similar scans search
All paginated responses include a pagination object:
"pagination": {
"page": 1, // Current page number
"limit": 20, // Items per page
"total_items": 272, // Total number of items
"total_pages": 14, // Total number of pages
"has_next": true, // Whether there's a next page
"has_prev": false // Whether there's a previous page
}Error Handling
The API uses conventional HTTP response codes to indicate success or failure. Error responses include a JSON object with error details.
{
"error": "Invalid URL provided",
"code": 400,
"details": "The URL must be a valid HTTP or HTTPS URL"
}API Endpoints
POST
/api/v1/scanSubmit URL for Scanning
Submit a URL for scanning with URL validation and optional CSRF protection. Supports flexible URL input formats: - Full URLs: https://example.com, http://example.com - Domain only: example.com (will try https://, https://www., http://, http://www.) - With path: example.com/page (will prepend protocol)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
url | string | Required | |
scan_type | string | Optional | |
options | string | Optional | |
csrf_token | string | Optional |
Response
{
"scan_id": "string",
"status": "string",
"message": "string",
"scan_type": "string",
"submitted_at": "string"
}Example
Request
curl -X POST "https://scanmalware.com/api/v1/scan" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com", "scan_type": "public"}'Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"status": "queued",
"message": "Scan submitted successfully",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z"
}GET
/api/v1/result/{scan_id}Get Scan Results
Retrieve the results of a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"url": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"completed_at": "string",
"results": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/result/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z",
"completed_at": "2025-08-20T16:30:15.000Z",
"results": {
"title": "Example Domain",
"screenshot_path": "screenshots/123e4567.png",
"technologies": [...],
"network_requests": [...],
"security_analysis": {...}
}
}GET
/api/v1/scan/{scan_id}/summaryGet Scan Summary
Get condensed scan information for integrations
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"url": "string",
"final_url": "string",
"status": "string",
"completed_at": "string",
"security_verdict": {
"overall_score": "integer",
"risk_level": "string"
},
"risk_score": "integer",
"technologies_count": "integer",
"tracker_count": "integer",
"redirect_count": "integer",
"certificate_valid": "boolean",
"load_time": "number"
}Example
Request
curl "https://scanmalware.com/api/v1/scan/123e4567-e89b-12d3-a456-426614174000/summary"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"final_url": "https://www.example.com",
"status": "completed",
"completed_at": "2025-08-20T16:30:15.000Z",
"security_verdict": {
"overall_score": 15,
"risk_level": "safe"
},
"risk_score": 85,
"technologies_count": 5,
"tracker_count": 2,
"redirect_count": 1,
"certificate_valid": true,
"load_time": 1.234
}GET
/api/v1/domains/{domain}/scansDomain History
Get all public scans for a specific domain (only public scans are available via API)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to search for (e.g., "example.com") |
status | string | Optional | Filter by scan status: "queued", "processing", "completed", or "failed" |
limit | integer | Optional | Number of results (1-100, default: 20) |
Response
{
"domain": "string",
"total_scans": "integer",
"scans": [
{
"scan_id": "string",
"url": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"completed_at": "string",
"title": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/domains/example.com/scans?status=completed&limit=10"Response
{
"domain": "example.com",
"total_scans": 15,
"scans": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z",
"completed_at": "2025-08-20T16:30:15.000Z",
"title": "Example Domain"
}
]
}GET
/api/v1/recentGet Recent Public Scans
Retrieve a list of recent public scans with pagination (only public scans are available via API)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"title": "string"
}
],
"pagination": {
"page": "integer",
"limit": "integer",
"total_items": "integer",
"total_pages": "integer",
"has_next": "boolean",
"has_prev": "boolean"
}
}Example
Request
curl "https://scanmalware.com/api/v1/recent?page=1&limit=10"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z",
"title": "Example Domain"
}
],
"pagination": {
"page": 1,
"limit": 10,
"total_items": 272,
"total_pages": 28,
"has_next": true,
"has_prev": false
}
}GET
/api/v1/searchSearch Scans
Search through public scan results only
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
q | string | Required | Search query (minimum 3 characters) |
type | string | Optional | Search type: "url", "domain", "title", "technology", or "all" (default: "all") |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
[
{
"scan_id": "string",
"url": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"title": "string"
}
]Example
Request
curl "https://scanmalware.com/api/v1/search?q=example.com&type=domain"Response
[
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z",
"title": "Example Domain"
}
]GET
/api/v1/search/asn/{asn_number}Search by ASN
Search for public scans from a specific Autonomous System Number (ASN)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
asn_number | integer | Required | The AS number to search for without AS prefix (e.g., 13335 for Cloudflare, not AS13335) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 50, max: 500) |
Response
{
"asn": "integer",
"organization": "string",
"total_scans": "integer",
"unique_urls": "integer",
"first_seen": "string | null",
"last_seen": "string | null",
"results": [
{
"scan_id": "string",
"url": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"title": "string",
"primary_asn": "integer",
"asn_org": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/search/asn/13335"Response
{
"asn": 13335,
"organization": "CLOUDFLARENET",
"total_scans": 42,
"unique_urls": 35,
"first_seen": "2025-08-19T10:00:00.000Z",
"last_seen": "2025-08-20T16:30:00.000Z",
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-08-20T16:30:00.000Z",
"title": "Example Domain",
"primary_asn": 13335,
"asn_org": "CLOUDFLARENET"
}
]
}GET
/api/v1/search/favicon/{hash_value}Search by Favicon Hash
Search for websites with the same favicon hash (supports both MMH3 and MD5 hashes)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | string | Required | The favicon hash value (MMH3 integer or MD5 hex string) |
hash_type | string | Optional | Hash type: "mmh3" or "md5" (default: "mmh3") |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"hash_type": "string",
"hash_value": "string",
"results": [
{
"scan_id": "string",
"url": "string",
"final_url": "string",
"title": "string",
"submitted_at": "string",
"favicon_mmh3": "string",
"favicon_md5": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/search/favicon/2755474283?hash_type=mmh3"
# Search by MD5 hash
curl "https://scanmalware.com/api/v1/search/favicon/b2ccd167c908a44e1dd69df79382286a?hash_type=md5"Response
{
"hash_type": "mmh3",
"hash_value": "2755474283",
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://www.linkedin.com/",
"final_url": "https://www.linkedin.com/",
"title": "LinkedIn: Log In or Sign Up",
"submitted_at": "2025-08-20T16:30:00.000Z",
"favicon_mmh3": "2755474283",
"favicon_md5": "b2ccd167c908a44e1dd69df79382286a"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total_items": 4,
"total_pages": 1,
"has_next": false,
"has_prev": false
}
}GET
/api/v1/favicon/{scan_id}Get Favicon
Download the favicon image for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
Binary image data (PNG/ICO format) or 404 if no favicon foundExample
Request
curl "https://scanmalware.com/api/v1/favicon/123e4567-e89b-12d3-a456-426614174000" --output favicon.pngResponse
Binary image dataGET
/api/v1/favicon/search/{mmh3_hash}Search by MMH3 Favicon Hash
Search for scans with a specific MMH3 favicon hash
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
mmh3_hash | string | Required | The MMH3 hash value |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"mmh3_hash": "string",
"results": [
{
"scan_id": "string",
"url": "string",
"final_url": "string",
"title": "string",
"submitted_at": "string",
"favicon_mmh3": "string",
"favicon_md5": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/favicon/search/2755474283"Response
{
"mmh3_hash": "2755474283",
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://www.linkedin.com/",
"final_url": "https://www.linkedin.com/",
"title": "LinkedIn: Log In or Sign Up",
"submitted_at": "2025-08-20T16:30:00.000Z",
"favicon_mmh3": "2755474283",
"favicon_md5": "b2ccd167c908a44e1dd69df79382286a"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total_items": 4,
"total_pages": 1,
"has_next": false,
"has_prev": false
}
}GET
/api/v1/favicon/statsFavicon Statistics
Get statistics about favicon detection and hashes
Response
{
"total_scans_with_favicons": "integer",
"unique_mmh3_hashes": "integer",
"unique_md5_hashes": "integer",
"top_favicons": [
{
"mmh3_hash": "string",
"md5_hash": "string",
"count": "integer",
"example_url": "string"
}
],
"detection_rate": "number",
"last_updated": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/favicon/stats"Response
{
"total_scans_with_favicons": 892,
"unique_mmh3_hashes": 234,
"unique_md5_hashes": 231,
"top_favicons": [
{
"mmh3_hash": "2755474283",
"md5_hash": "b2ccd167c908a44e1dd69df79382286a",
"count": 15,
"example_url": "https://www.linkedin.com/"
}
],
"detection_rate": 72.3,
"last_updated": "2025-08-20T16:30:00.000Z"
}GET
/api/v1/search/screenshot/{hash_type}/{hash_value}Search by Screenshot Hash
Search for scans by screenshot hash (public scans only)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_type | string | Required | Hash type: "ahash", "phash", "dhash", "whash", "color_hash", or "crop_resistant" |
hash_value | string | Required | The hash value to search for |
similarity_threshold | integer | Optional | Hamming distance threshold for similarity search (0-64, perceptual hashes only) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"hash_type": "string",
"hash_value": "string",
"count": "integer",
"results": [
{
"scan_id": "string",
"url": "string",
"title": "string",
"submitted_at": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/search/screenshot/phash/1a2b3c4d5e6f7890"Response
{
"hash_type": "phash",
"hash_value": "1a2b3c4d5e6f7890",
"count": 1,
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"title": "Example Domain",
"submitted_at": "2025-08-20T16:30:00.000Z"
}
]
}POST
/api/v1/screenshot/searchScreenshot Hash Search
Search for visually similar screenshots using perceptual hashing. Returns scans with screenshots similar to the provided hash value. Supports multiple hash types (phash, ahash, dhash, whash, crop_resistant).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | integer | Required | The perceptual hash value as an integer |
hash_type | string | Optional | Hash type (phash, ahash, dhash, whash, crop_resistant). Default: phash |
max_distance | integer | Optional | Maximum hamming distance (1-10, default: 3) |
limit | integer | Optional | Maximum results (1-100, default: 20) |
Response
[
{
"scan_id": "string",
"url": "string",
"title": "string",
"submitted_at": "string",
"similarity_score": "integer",
"ahash_distance": "integer",
"phash_distance": "integer",
"dhash_distance": "integer",
"whash_distance": "integer"
}
]Example
Request
curl -X POST "https://scanmalware.com/api/v1/screenshot/search" \
-H "Content-Type: application/json" \
-d '{"hash_value": 17918433939200614400, "hash_type": "ahash", "max_distance": 5}'Response
[
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"title": "Example Domain",
"submitted_at": "2025-08-20T16:30:00.000Z",
"similarity_score": 95,
"ahash_distance": 3,
"phash_distance": 2,
"dhash_distance": 4,
"whash_distance": 5
}
]GET
/api/v1/screenshot/duplicatesFind Duplicate Screenshots
Find groups of similar screenshots (potential duplicates) with pagination. For performance reasons, only exact matches (max_distance=0) are supported via efficient SQL GROUP BY. This avoids O(n²) comparisons across 100K+ screenshots. Use /api/v1/search/screenshot/phash/{hash} for fuzzy matching of a specific hash.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_type | string | Optional | |
max_distance | integer | Optional | Hamming distance (0=exact match only, for performance) |
min_group_size | integer | Optional | |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
[
[
{
"scan_id": "string",
"url": "string",
"title": "string",
"submitted_at": "string",
"ahash": "string",
"phash": "string",
"dhash": "string",
"whash": "string"
}
]
]Example
Request
curl "https://scanmalware.com/api/v1/screenshot/duplicates?threshold=5&min_group_size=2"Response
[
[
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://phishing-site1.com",
"title": "Microsoft Account",
"submitted_at": "2025-08-20T16:30:00.000Z",
"ahash": "1a2b3c4d5e6f7890",
"phash": "0987654321abcdef",
"dhash": "fedcba9876543210",
"whash": "1234567890abcdef"
},
{
"scan_id": "223e4567-e89b-12d3-a456-426614174001",
"url": "https://phishing-site2.com",
"title": "Microsoft Account",
"submitted_at": "2025-08-20T17:00:00.000Z",
"ahash": "1a2b3c4d5e6f7891",
"phash": "0987654321abcdef",
"dhash": "fedcba9876543211",
"whash": "1234567890abcdef"
}
]
]GET
/api/v1/screenshot/statsScreenshot Statistics
Get statistics about screenshot processing and hashing
Response
{
"total_screenshots": "integer",
"unique_ahash": "integer",
"unique_phash": "integer",
"unique_dhash": "integer",
"unique_whash": "integer",
"duplicate_groups": "integer",
"processing_stats": {
"average_size_kb": "number",
"average_processing_ms": "number"
},
"last_updated": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/screenshot/stats"Response
{
"total_screenshots": 1234,
"unique_ahash": 987,
"unique_phash": 976,
"unique_dhash": 982,
"unique_whash": 978,
"duplicate_groups": 45,
"processing_stats": {
"average_size_kb": 234.5,
"average_processing_ms": 125.3
},
"last_updated": "2025-08-20T16:30:00.000Z"
}GET
/api/v1/search/jarm/{jarm_signature}JARM Signature Search
Search for scans by JARM TLS fingerprint. JARM fingerprints are 62-character hashes that identify TLS server configurations.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
jarm_signature | string | Required | JARM TLS fingerprint (62-character hex string) |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
{
"jarm_signature": "string",
"total_results": "integer",
"results": [
{
"scan_id": "string",
"url": "string",
"final_url": "string",
"jarm_host": "string",
"jarm_port": "integer",
"jarm_url": "string",
"is_final_url": "boolean",
"title": "string",
"scan_type": "string",
"status": "string",
"submitted_at": "string",
"completed_at": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/search/jarm/29d3fd00029d29d21c42d43d00041df48f145f65c66577d0b01ecea881c1ba"Response
{
"jarm_signature": "29d3fd00029d29d21c42d43d00041df48f145f65c66577d0b01ecea881c1ba",
"total_results": 2,
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://google.com/",
"final_url": "https://www.google.com/",
"jarm_host": "www.google.com",
"jarm_port": 443,
"jarm_url": "https://www.google.com/",
"is_final_url": true,
"title": "Google",
"scan_type": "public",
"status": "completed",
"submitted_at": "2025-08-26T07:14:30.516606",
"completed_at": null
}
]
}GET
/api/v1/jarm/scan/{scan_id}Get JARM Signatures for Scan
Get all JARM signatures associated with a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"signatures": [
{
"host": "string",
"port": "integer",
"jarm_signature": "string",
"url": "string",
"is_final_url": "boolean",
"created_at": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/jarm/scan/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"signatures": [
{
"host": "www.google.com",
"port": 443,
"jarm_signature": "29d3fd00029d29d21c42d43d00041df48f145f65c66577d0b01ecea881c1ba",
"url": "https://www.google.com/",
"is_final_url": true,
"created_at": "2025-08-26T11:20:40.658178"
},
{
"host": "google.com",
"port": 443,
"jarm_signature": "29d3fd00029d29d21c42d43d00041df48f145f65c66577d0b01ecea881c1ba",
"url": "https://google.com/",
"is_final_url": false,
"created_at": "2025-08-26T11:20:40.272924"
}
]
}GET
/api/v1/jarm/statsJARM Statistics
Get statistics about JARM signatures in the database
Response
{
"statistics": {
"unique_signatures": "integer",
"total_scans": "integer",
"total_entries": "integer",
"unique_hosts": "integer"
},
"common_signatures": [
{
"jarm_signature": "string",
"scan_count": "integer",
"host_count": "integer",
"sample_hosts": [
"string"
]
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/jarm/stats"Response
{
"statistics": {
"unique_signatures": 4,
"total_scans": 16,
"total_entries": 26,
"unique_hosts": 5
},
"common_signatures": [
{
"jarm_signature": "29d3fd00029d29d21c42d43d00041df48f145f65c66577d0b01ecea881c1ba",
"scan_count": 10,
"host_count": 2,
"sample_hosts": ["google.com", "www.google.com"]
}
]
}GET
/api/v1/search/similarSimilar Content Search
Find scans with similar content using fuzzy hashing
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Base scan ID to find similar scans for |
methods | array | Optional | Methods to use for similarity: screenshot, favicon, fuzzy |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
[
{
"scan_id": "string",
"url": "string",
"title": "string",
"similarity_score": "integer",
"tlsh_score": "integer | null",
"ssdeep_score": "integer | null",
"submitted_at": "string"
}
]Example
Request
curl "https://scanmalware.com/api/v1/search/similar?scan_id=123e4567-e89b-12d3-a456-426614174000&threshold=85"Response
[
{
"scan_id": "223e4567-e89b-12d3-a456-426614174001",
"url": "https://similar-site.com",
"title": "Similar Content Site",
"similarity_score": 92,
"tlsh_score": 15,
"ssdeep_score": 89,
"submitted_at": "2025-08-20T16:30:00.000Z"
}
]GET
/api/v1/search/fuzzy/{hash_type}Search by Fuzzy Hash
Search for scans by fuzzy hash - TLSH, ssdeep, or sdhash (public scans only)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_type | string | Required | Fuzzy hash type: "tlsh", "ssdeep", or "sdhash" |
hash_value | string | Required | The fuzzy hash value to search for (query parameter) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"hash_type": "string",
"hash_value": "string",
"count": "integer",
"results": [
{
"scan_id": "string",
"url": "string",
"title": "string",
"submitted_at": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/search/fuzzy/tlsh?hash_value=T1ABC123..."Response
{
"hash_type": "tlsh",
"hash_value": "T1ABC123...",
"count": 2,
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"title": "Example Domain",
"submitted_at": "2025-08-20T16:30:00.000Z"
}
]
}GET
/api/v1/statsGet System Statistics
Retrieve system statistics and queue information
Response
{
"queue_length": "integer",
"running_scans": "integer",
"completed_24h": {
"public": "integer",
"unlisted": "integer",
"private": "integer"
}
}Example
Request
curl "https://scanmalware.com/api/v1/stats"Response
{
"queue_length": 5,
"running_scans": 2,
"completed_24h": {
"public": 150,
"unlisted": 25,
"private": 8
}
}GET
/api/v1/screenshot/{scan_id}Get Scan Screenshot
Get scan screenshot with optional resizing and format conversion
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | |
width | integer | Optional | Resize width (maintains aspect ratio) |
height | integer | Optional | Resize height (maintains aspect ratio) |
format | string | Optional | Output format: png or webp |
Response
Binary image data — image/png by default, image/webp when ?format=webp.Example
Request
curl "https://scanmalware.com/api/v1/screenshot/123e4567-e89b-12d3-a456-426614174000?width=640&format=webp" -o screenshot.webpResponse
[Binary image data]GET
/api/v1/healthHealth Check
Check system health and worker status
Response
{
"status": "string",
"timestamp": "string",
"workers": {
"active": "integer",
"total": "integer"
},
"queue_length": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/health"Response
{
"status": "healthy",
"timestamp": "2025-08-20T16:30:00.000Z",
"workers": {
"active": 3,
"total": 3
},
"queue_length": 0
}GET
/api/v1/ocr/{scan_id}Get OCR Text
Get OCR-extracted text from a scan's screenshot with language detection
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to retrieve OCR text for |
Response
{
"scan_id": "string",
"ocr_text": "string",
"ocr_language": "string",
"suspicious_regions": "array",
"metadata": {
"text_length": "integer",
"word_count": "integer",
"char_count": "integer",
"detected_language": "string",
"tesseract_language": "string"
},
"source": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/ocr/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"ocr_text": "Example Domain\nThis domain is for use in illustrative examples...",
"ocr_language": "eng",
"suspicious_regions": [
{
"text": "Windows + R",
"pattern": "windows + r",
"bbox": {"x": 100, "y": 200, "width": 150, "height": 30},
"confidence": 95
}
],
"metadata": {
"text_length": 197,
"word_count": 28,
"char_count": 172,
"detected_language": "en",
"tesseract_language": "eng"
},
"source": "database"
}GET
/api/v1/search/ocrSearch OCR Text
Full-text search through OCR-extracted text from screenshots
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
q | string | Required | Search query (min 3 characters) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"ocr_text_preview": "string",
"relevance_score": "float",
"scan_timestamp": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/search/ocr?q=verify+human&page=1&limit=10"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://suspicious-site.com",
"ocr_text_preview": "Please verify you are human by pressing Windows+R and typing...",
"relevance_score": 0.95,
"scan_timestamp": "2025-08-20T16:30:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 10,
"total": 3,
"pages": 1
}
}GET
/api/v1/search/ocr/patternOCR Pattern Search
Search for specific patterns in OCR-extracted text
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
pattern | string | Required | Pattern to search for |
case_sensitive | boolean | Optional | Whether to perform case-sensitive search (default: false) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"ocr_text_preview": "string",
"match_count": "integer",
"scan_timestamp": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/search/ocr/pattern?pattern=Windows%2BR&case_sensitive=false"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://suspicious-site.com",
"ocr_text_preview": "Press Windows+R to open Run dialog...",
"match_count": 3,
"scan_timestamp": "2025-08-20T16:30:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 5,
"pages": 1
}
}GET
/api/v1/ocr/statsOCR Statistics
Get OCR processing statistics and language distribution
Response
{
"total_processed": "integer",
"total_with_text": "integer",
"average_text_length": "number",
"processing_time_avg_ms": "number",
"language_distribution": [
{
"language": "string",
"count": "integer",
"percentage": "number"
}
],
"suspicious_patterns": [
{
"pattern": "string",
"occurrences": "integer"
}
],
"last_updated": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/ocr/stats"Response
{
"total_processed": 1234,
"total_with_text": 890,
"average_text_length": 452.3,
"processing_time_avg_ms": 1250.5,
"language_distribution": [
{
"language": "eng",
"count": 650,
"percentage": 73.0
},
{
"language": "chi_sim",
"count": 120,
"percentage": 13.5
}
],
"suspicious_patterns": [
{
"pattern": "Windows+R",
"occurrences": 15
},
{
"pattern": "PowerShell",
"occurrences": 8
}
],
"last_updated": "2025-08-20T16:30:00.000Z"
}GET
/api/v1/clipboard/statsClipboard Statistics
Get global clipboard monitoring and pastejacking detection statistics
Response
{
"clipboard_events": {
"scans_with_clipboard": "integer",
"total_events": "integer",
"copy_events": "integer",
"paste_events": "integer",
"suspicious_events": "integer"
},
"pastejacking_detections": {
"scans_with_pastejacking": "integer",
"total_detections": "integer",
"critical": "integer",
"high": "integer",
"medium": "integer",
"low": "integer"
},
"daily_activity": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/clipboard/stats"Response
{
"clipboard_events": {
"scans_with_clipboard": 142,
"total_events": 523,
"copy_events": 201,
"paste_events": 87,
"suspicious_events": 34
},
"pastejacking_detections": {
"scans_with_pastejacking": 28,
"total_detections": 45,
"critical": 5,
"high": 12,
"medium": 18,
"low": 10
},
"daily_activity": [
{
"date": "2025-08-20",
"scans_with_clipboard_activity": 15,
"total_events": 67,
"suspicious_events": 8,
"scans_with_pastejacking": 3
}
]
}GET
/api/v1/clipboard/{scan_id}Get Clipboard Events
Get clipboard events captured during a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to retrieve clipboard events for |
Response
{
"scan_id": "string",
"events": [
{
"event_type": "string",
"event_timestamp": "string",
"event_data": "object",
"page_url": "string",
"element_selector": "string",
"is_suspicious": "boolean",
"suspicious_reason": "string"
}
],
"statistics": "object",
"source": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/clipboard/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"events": [
{
"event_type": "copy",
"event_timestamp": "2025-08-20T16:30:15.000Z",
"event_data": {
"clipboardData": "powershell -Command iex",
"selection": "Run this command"
},
"page_url": "https://suspicious-site.com/verify",
"element_selector": "div.verification-steps",
"is_suspicious": true,
"suspicious_reason": "Contains potentially malicious command patterns"
}
],
"statistics": {
"total_events": 3,
"copy_events": 2,
"paste_events": 1,
"suspicious_events": 1
},
"source": "database"
}GET
/api/v1/pastejacking/{scan_id}Get Pastejacking Detections
Get pastejacking attack detections for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to retrieve pastejacking detections for |
Response
{
"scan_id": "string",
"detections": [
{
"detection_type": "string",
"severity": "string",
"description": "string",
"technical_details": "object",
"affected_element": "string",
"mitigation_advice": "string",
"detected_at": "string"
}
],
"detection_count": "integer",
"max_severity": "string",
"source": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/pastejacking/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"detections": [
{
"detection_type": "hidden_payload",
"severity": "critical",
"description": "Hidden malicious content detected in DIV element",
"technical_details": {
"content": "powershell -NoProfile -ExecutionPolicy Bypass",
"tag": "DIV",
"visibility": "hidden",
"opacity": "0"
},
"affected_element": "div.hidden-command",
"mitigation_advice": "Avoid copying text from this page as it may contain hidden malicious content",
"detected_at": "2025-08-20T16:30:00.000Z"
},
{
"detection_type": "fake_modal",
"severity": "high",
"description": "Suspicious modal detected with pattern: /windows?\\s*\\+\\s*r/i",
"technical_details": {
"text": "Press Windows+R to verify",
"zIndex": "9999",
"position": "fixed"
},
"mitigation_advice": "Be cautious of verification prompts asking you to copy/paste commands",
"detected_at": "2025-08-20T16:30:00.000Z"
}
],
"detection_count": 2,
"max_severity": "critical",
"source": "database"
}GET
/api/v1/search/clipboard/suspiciousSearch Suspicious Clipboard
Search for suspicious clipboard activity patterns across all scans
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
pattern | string | Optional | Pattern to search in suspicious clipboard events |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"event_count": "integer",
"suspicious_reason": "string",
"scan_timestamp": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/search/clipboard/suspicious?pattern=powershell&page=1"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://malicious-site.com",
"event_count": 5,
"suspicious_reason": "Contains potentially malicious command patterns",
"scan_timestamp": "2025-08-20T16:30:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 8,
"pages": 1
}
}GET
/api/v1/technologies/searchSearch Technologies
Search for technologies by name or category with full-text search support
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
q | string | Optional | Search term for technology name (supports partial matching) |
category | string | Optional | Filter by category (e.g., "CMS", "Web Framework", "JavaScript Library") |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"name": "string",
"category": "string",
"occurrence_count": "integer",
"first_seen": "string",
"last_seen": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/technologies/search?q=wordpress&category=CMS"Response
{
"results": [
{
"name": "WordPress",
"category": "CMS",
"occurrence_count": 45,
"first_seen": "2025-08-01T10:00:00.000Z",
"last_seen": "2025-08-20T16:30:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total_items": 1,
"total_pages": 1,
"has_next": false,
"has_prev": false
}
}GET
/api/v1/technologies/popularPopular Technologies
Get the most frequently detected technologies
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
days | integer | Optional | Number of days to look back |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
{
"time_period": "string",
"results": [
{
"name": "string",
"category": "string",
"occurrence_count": "integer",
"percentage_of_scans": "number",
"last_seen": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/technologies/popular?time_period=7d&limit=5"Response
{
"time_period": "7d",
"results": [
{
"name": "jQuery",
"category": "JavaScript Library",
"occurrence_count": 234,
"percentage_of_scans": 45.2,
"last_seen": "2025-08-20T16:30:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 5,
"total_items": 150,
"total_pages": 30,
"has_next": true,
"has_prev": false
}
}GET
/api/v1/technologies/combinations/{tech_name}Technology Combinations
Find technologies commonly used together with a specific technology
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
tech_name | string | Required | Technology name to find combinations for |
min_occurrences | integer | Optional | Minimum occurrences to include |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
{
"base_technology": "string",
"total_occurrences": "integer",
"combinations": [
{
"technology": "string",
"category": "string",
"co_occurrence_count": "integer",
"percentage": "number"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/technologies/combinations/WordPress"Response
{
"base_technology": "WordPress",
"total_occurrences": 45,
"combinations": [
{
"technology": "MySQL",
"category": "Database",
"co_occurrence_count": 42,
"percentage": 93.3
},
{
"technology": "PHP",
"category": "Programming Language",
"co_occurrence_count": 45,
"percentage": 100.0
}
],
"pagination": {
"page": 1,
"limit": 20,
"total_items": 25,
"total_pages": 2,
"has_next": true,
"has_prev": false
}
}GET
/api/v1/technologies/statsTechnology Statistics
Get aggregated statistics about detected technologies
Response
{
"total_unique_technologies": "integer",
"total_detections": "integer",
"scans_with_technologies": "integer",
"top_categories": [
{
"category": "string",
"count": "integer",
"percentage": "number"
}
],
"detection_trend_7d": "object",
"last_updated": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/technologies/stats"Response
{
"total_unique_technologies": 1250,
"total_detections": 45678,
"scans_with_technologies": 3456,
"top_categories": [
{
"category": "JavaScript Library",
"count": 12345,
"percentage": 27.0
},
{
"category": "Web Server",
"count": 8901,
"percentage": 19.5
}
],
"detection_trend_7d": {
"2025-08-14": 234,
"2025-08-15": 256,
"2025-08-16": 289,
"2025-08-17": 301,
"2025-08-18": 298,
"2025-08-19": 312,
"2025-08-20": 325
},
"last_updated": "2025-08-20T16:30:00.000Z"
}GET
/api/v1/technologies/by-scan/{scan_id}Technologies by Scan
Get all technologies detected in a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"url": "string",
"technologies": [
{
"name": "string",
"category": "string",
"confidence": "integer",
"version": "string | null"
}
],
"total_count": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/technologies/by-scan/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"technologies": [
{
"name": "WordPress",
"category": "CMS",
"confidence": 100,
"version": "6.3.1"
},
{
"name": "MySQL",
"category": "Database",
"confidence": 50,
"version": null
}
],
"total_count": 2
}GET
/api/v1/search/ip/{ip_address}Search by IP Address
Search for scans by IP address or partial IP (public scans only)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip_address | string | Required | IP address or partial IP to search for |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 50, max: 500) |
Response
{
"ip_address": "string",
"total_count": "integer",
"results": [
{
"scan_id": "string",
"url": "string",
"title": "string",
"submitted_at": "string",
"ip_addresses": [
"string"
],
"primary_ip": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/search/ip/104.21.5.197"Response
{
"ip_address": "104.21.5.197",
"total_count": 3,
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"title": "Example Domain",
"submitted_at": "2025-08-20T16:30:00.000Z",
"ip_addresses": ["104.21.5.197", "172.67.182.169"],
"primary_ip": "104.21.5.197"
}
],
"pagination": {
"page": 1,
"limit": 50,
"total_items": 3,
"total_pages": 1,
"has_next": false,
"has_prev": false
}
}GET
/api/v1/search/semanticAI-Powered Visual Search
Search for visually similar websites using natural language queries and CLIP embeddings
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
query | string | Required | Natural language search query (e.g., "login page", "shopping cart", "news website") |
threshold | float | Optional | Similarity threshold (-1.0 to 1.0, default: -0.3). Lower values return more results |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"title": "string",
"screenshot": "string",
"submitted_at": "string",
"scan_type": "string",
"similarity": "float",
"match_type": "string"
}
],
"total": "integer",
"page": "integer",
"limit": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/search/semantic?query=search+engine&threshold=-0.3&limit=5"Response
{
"results": [
{
"scan_id": "d0e3ae0a-e560-432a-af74-32777a6250f1",
"url": "https://google.com/",
"title": "Google",
"screenshot": "screenshots/d0e3ae0a-e560-432a-af74-32777a6250f1.png",
"submitted_at": "2025-08-31T10:30:00.000Z",
"scan_type": "public",
"similarity": -0.21,
"match_type": "visual"
},
{
"scan_id": "7d5a8b9c-1234-5678-90ab-cdef12345678",
"url": "https://www.baidu.com/",
"title": "百度一下,你就知道",
"screenshot": "screenshots/7d5a8b9c-1234-5678-90ab-cdef12345678.png",
"submitted_at": "2025-08-30T14:20:00.000Z",
"scan_type": "public",
"similarity": -0.22,
"match_type": "visual"
}
],
"total": 66,
"page": 1,
"limit": 5
}GET
/api/v1/cpe/search/{cpe_pattern}Search CPE Records
Search for scans containing specific CPE patterns or technology names with pagination. Searches both: - scan_cpes table (for CPE strings) - technologies table (for technology names like 'nginx', 'cowboy', etc.)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
cpe_pattern | string | Required | CPE search pattern (e.g., "nginx", "apache:2.4", "gunicorn:19.9.0") |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"pattern": "string",
"results": [
{
"scan_id": "string",
"url": "string",
"final_url": "string",
"title": "string",
"status": "string",
"scan_type": "string",
"submitted_at": "string",
"cpe": "string",
"source": "string",
"detected_at": "string"
}
],
"pagination": {
"page": "integer",
"limit": "integer",
"total": "integer",
"pages": "integer"
}
}Example
Request
curl "https://scanmalware.com/api/v1/cpe/search/nginx:1.24"Response
{
"pattern": "nginx:1.24",
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"final_url": "https://example.com",
"title": "Example Site",
"status": "completed",
"scan_type": "public",
"submitted_at": "2025-09-01T10:00:00.000000",
"cpe": "cpe:2.3:a:nginx:nginx:1.24.0:*:*:*:*:*:*:*",
"source": "server_header",
"detected_at": "2025-09-01T10:00:30.000000+00:00"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 5,
"pages": 1
}
}GET
/api/v1/cpe/statsCPE Statistics
Get global CPE detection statistics
Response
{
"total_cpes": "integer",
"unique_products": "integer",
"unique_vendors": "integer",
"most_common_cpes": [
{
"cpe": "string",
"vendor": "string",
"product": "string",
"version": "string",
"count": "integer"
}
],
"recent_detections": [
{
"cpe": "string",
"detected_at": "string",
"scan_id": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/cpe/stats"Response
{
"total_cpes": 1523,
"unique_products": 89,
"unique_vendors": 45,
"most_common_cpes": [
{
"cpe": "cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*",
"vendor": "nginx",
"product": "nginx",
"version": "*",
"count": 234
},
{
"cpe": "cpe:2.3:a:apache:http_server:2.4:*:*:*:*:*:*:*",
"vendor": "apache",
"product": "http_server",
"version": "2.4",
"count": 189
}
],
"recent_detections": [
{
"cpe": "cpe:2.3:a:wordpress:wordpress:6.7.3:*:*:*:*:*:*:*",
"detected_at": "2025-09-03T14:00:00.000000+00:00",
"scan_id": "abc123de-f456-7890-abcd-ef1234567890"
}
]
}GET
/api/v1/cpe/{scan_id}Get CPEs for Scan
Get all CPE records detected in a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to get CPEs for |
Response
{
"scan_id": "string",
"cpes": [
{
"cpe": "string",
"vendor": "string",
"product": "string",
"version": "string",
"source": "string",
"detected_at": "string"
}
],
"total_count": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/cpe/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"cpes": [
{
"cpe": "cpe:2.3:a:nginx:nginx:1.24.0:*:*:*:*:*:*:*",
"vendor": "nginx",
"product": "nginx",
"version": "1.24.0",
"source": "server_header",
"detected_at": "2025-09-01T10:00:30.000000+00:00"
},
{
"cpe": "cpe:2.3:a:openssl:openssl:3.0.2:*:*:*:*:*:*:*",
"vendor": "openssl",
"product": "openssl",
"version": "3.0.2",
"source": "server_header",
"detected_at": "2025-09-01T10:00:30.000000+00:00"
}
],
"total_count": 2
}GET
/api/v1/domain/stats/{domain}Domain Statistics
Get detailed statistics for a specific domain including scan history and threat analysis
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to get statistics for (e.g., "example.com") |
Response
{
"domain": "string",
"total_scans": "integer",
"first_seen": "string",
"last_seen": "string",
"scan_types": {
"public": "integer",
"unlisted": "integer",
"private": "integer"
},
"status_breakdown": {
"completed": "integer",
"failed": "integer",
"processing": "integer"
},
"risk_levels": {
"safe": "integer",
"low": "integer",
"medium": "integer",
"high": "integer",
"malicious": "integer"
}
}Example
Request
curl "https://scanmalware.com/api/v1/domain/stats/example.com"Response
{
"domain": "example.com",
"total_scans": 45,
"first_seen": "2025-01-15T10:00:00.000Z",
"last_seen": "2025-09-08T16:30:00.000Z",
"scan_types": {
"public": 40,
"unlisted": 4,
"private": 1
},
"status_breakdown": {
"completed": 42,
"failed": 2,
"processing": 1
},
"risk_levels": {
"safe": 38,
"low": 3,
"medium": 1,
"high": 0,
"malicious": 0
}
}GET
/api/v1/domain/history/{domain}Domain Scan History
Get the complete scan history for a specific domain with detailed timeline
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Response
{
"domain": "string",
"history": [
{
"scan_id": "string",
"url": "string",
"submitted_at": "string",
"completed_at": "string",
"status": "string",
"scan_type": "string",
"risk_score": "integer",
"title": "string"
}
],
"total_count": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/domain/history/example.com?limit=10"Response
{
"domain": "example.com",
"history": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"submitted_at": "2025-09-08T16:30:00.000Z",
"completed_at": "2025-09-08T16:30:15.000Z",
"status": "completed",
"scan_type": "public",
"risk_score": 95,
"title": "Example Domain"
}
],
"total_count": 45
}GET
/api/v1/ai/{scan_id}AI Security Analysis
Get AI-powered security analysis results for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to get AI analysis for |
Response
{
"scan_id": "string",
"analysis": {
"classification": "string",
"confidence": "number",
"risk_level": "string",
"scam_type": "string | null",
"evidence": "array",
"recommendations": "array",
"risk_factors": "array",
"safety_factors": "array"
},
"created_at": "string",
"model_version": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/ai/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"analysis": {
"classification": "legitimate",
"confidence": 0.95,
"risk_level": "low",
"scam_type": null,
"evidence": [
"Valid SSL certificate",
"Known legitimate domain",
"No suspicious patterns detected"
],
"recommendations": [
"Site appears safe for general use"
],
"risk_factors": [],
"safety_factors": [
"HTTPS enabled",
"Valid certificate chain",
"Established domain age"
]
},
"created_at": "2025-09-08T16:31:00.000Z",
"model_version": "gpt-oss-120b"
}GET
/api/v1/ai/statsAI Analysis Statistics
Get global statistics for AI-powered security analysis
Response
{
"total_analyses": "integer",
"classifications": {
"legitimate": "integer",
"suspicious": "integer",
"malicious": "integer",
"phishing": "integer",
"scam": "integer"
},
"average_confidence": "number",
"scam_types_detected": "object",
"model_performance": {
"average_processing_time_ms": "number",
"success_rate": "number"
}
}Example
Request
curl "https://scanmalware.com/api/v1/ai/stats"Response
{
"total_analyses": 1523,
"classifications": {
"legitimate": 1200,
"suspicious": 150,
"malicious": 73,
"phishing": 65,
"scam": 35
},
"average_confidence": 0.87,
"scam_types_detected": {
"tech_support": 15,
"fake_shopping": 10,
"crypto_scam": 8,
"romance_scam": 2
},
"model_performance": {
"average_processing_time_ms": 2500,
"success_rate": 0.98
}
}GET
/api/v1/ai/search/classificationSearch by AI Classification
Search for scans by AI classification type
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
classification | string | Required | Classification type: LEGITIMATE, LOW_RISK, MODERATE_RISK, HIGH_RISK, or CONFIRMED_SCAM |
limit | integer | Optional | Maximum results (1-1000, default: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"classification": "string",
"confidence": "number",
"risk_level": "string",
"submitted_at": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/ai/search/classification?classification=HIGH_RISK&limit=10"Response
{
"results": [
{
"scan_id": "abc123de-f456-7890-abcd-ef1234567890",
"url": "https://suspicious-site.com",
"classification": "phishing",
"confidence": 0.92,
"risk_level": "high",
"submitted_at": "2025-09-08T14:00:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 65,
"pages": 4
}
}GET
/api/v1/ai/search/high-riskSearch High-Risk AI Detections
Find scans with high-risk AI security assessments
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
min_risk_score | integer | Optional | Minimum risk score (0-10, default: 7) |
min_confidence | integer | Optional | Minimum confidence level (0-100, default: 70) |
limit | integer | Optional | Maximum results (1-1000, default: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"risk_score": "integer",
"classification": "string",
"risk_factors": "array",
"submitted_at": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/ai/search/high-risk?min_risk_score=7&min_confidence=70&limit=10"Response
{
"results": [
{
"scan_id": "xyz789ab-cdef-0123-4567-890abcdef123",
"url": "https://malicious-site.com",
"risk_score": 92,
"classification": "malicious",
"risk_factors": [
"Known malware distribution",
"Suspicious JavaScript patterns",
"Fake login form detected"
],
"submitted_at": "2025-09-08T15:00:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 73,
"pages": 4
}
}GET
/api/v1/ai/search/scam-typeSearch by Scam Type
Search for scans by specific scam type detected by AI
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scam_type | string | Required | Scam type to search for (e.g., "tech_support", "fake_shopping", "crypto_scam") |
limit | integer | Optional | Maximum results (1-1000, default: 100) |
Response
{
"scam_type": "string",
"results": [
{
"scan_id": "string",
"url": "string",
"scam_type": "string",
"confidence": "number",
"description": "string",
"submitted_at": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/ai/search/scam-type?scam_type=tech_support"Response
{
"scam_type": "tech_support",
"results": [
{
"scan_id": "def456gh-ijkl-7890-mnop-qrs123456789",
"url": "https://fake-microsoft-support.com",
"scam_type": "tech_support",
"confidence": 0.94,
"description": "Fake Microsoft tech support scam with phone number",
"submitted_at": "2025-09-08T12:00:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 15,
"pages": 1
}
}GET
/api/v1/safe-browsing/{scan_id}Google Safe Browsing Results
Get Google Safe Browsing threat detection results for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The scan ID to get Safe Browsing results for |
Response
{
"scan_id": "string",
"threats": [
{
"threat_type": "string",
"platform_type": "string",
"threat_entry_type": "string",
"url": "string",
"cache_duration": "string"
}
],
"checked_at": "string",
"threat_count": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/safe-browsing/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"threats": [
{
"threat_type": "SOCIAL_ENGINEERING",
"platform_type": "ANY_PLATFORM",
"threat_entry_type": "URL",
"url": "https://phishing-site.com",
"cache_duration": "300s"
}
],
"checked_at": "2025-09-08T16:30:30.000Z",
"threat_count": 1
}GET
/api/v1/safe-browsing/statsSafe Browsing Statistics
Get global Google Safe Browsing detection statistics
Response
{
"total_checks": "integer",
"threats_detected": "integer",
"threat_types": {
"MALWARE": "integer",
"SOCIAL_ENGINEERING": "integer",
"UNWANTED_SOFTWARE": "integer",
"POTENTIALLY_HARMFUL_APPLICATION": "integer"
},
"detection_rate": "number",
"last_updated": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/safe-browsing/stats"Response
{
"total_checks": 5234,
"threats_detected": 423,
"threat_types": {
"MALWARE": 156,
"SOCIAL_ENGINEERING": 189,
"UNWANTED_SOFTWARE": 67,
"POTENTIALLY_HARMFUL_APPLICATION": 11
},
"detection_rate": 0.081,
"last_updated": "2025-09-08T16:30:00.000Z"
}GET
/api/v1/rdap/{scan_id}RDAP/WHOIS Information
Get RDAP/WHOIS domain registration information for a scan Returns domain age, registration date, and other RDAP data with proper security validation. Args: scan_id: UUID of the scan Returns: RDAPResponse: Domain registration information Raises: HTTPException: If scan_id is invalid or scan not found
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"url": "string",
"domain_age": {
"days": "integer",
"category": "string",
"risk_multiplier": "number",
"registration_date": "string"
},
"rdap_data": {
"domain": "string",
"registrar": "string",
"created_date": "string",
"expiry_date": "string",
"updated_date": "string",
"nameservers": "array"
}
}Example
Request
curl "https://scanmalware.com/api/v1/rdap/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"domain_age": {
"days": 8500,
"category": "WELL_ESTABLISHED",
"risk_multiplier": 1.0,
"registration_date": "2002-08-14"
},
"rdap_data": {
"domain": "example.com",
"registrar": "RESERVED-Internet Assigned Numbers Authority",
"created_date": "1995-08-14T04:00:00Z",
"expiry_date": "2025-08-13T04:00:00Z",
"updated_date": "2024-08-14T07:01:31Z",
"nameservers": ["a.iana-servers.net", "b.iana-servers.net"]
}
}GET
/api/v1/tls/{scan_id}TLS Certificate Analysis
Get TLS/SSL certificate analysis for a scan Returns comprehensive certificate details including: - Subject and issuer information - Validity dates and expiration status - Certificate fingerprints (SHA1, SHA256, MD5) - Key algorithm and size analysis - Subject Alternative Names (SANs) - Certificate Transparency (CT) log data - CAA record validation - Security analysis and risk scoring - Chain validation - Full certificate PEM data Results are cached for 60 seconds (only when data exists).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"subject_common_name": "string",
"subject_organization": "string",
"issuer_common_name": "string",
"issuer_organization": "string",
"not_before": "string",
"not_after": "string",
"is_valid": "boolean",
"is_expired": "boolean",
"days_until_expiry": "integer",
"validity_period_days": "integer",
"key_algorithm": "string",
"key_size": "integer",
"fingerprint_sha256": "string",
"is_self_signed": "boolean",
"is_wildcard": "boolean",
"is_lets_encrypt": "boolean",
"sans": {
"dns_names": "array",
"wildcards": "array",
"risk_score": "integer"
},
"security_analysis": {
"findings": "array",
"warnings": "array"
},
"risk_score": "integer",
"is_in_ct_logs": "boolean",
"ct_certificate_count": "integer",
"has_caa_records": "boolean",
"caa_compliant": "boolean",
"processing_time_ms": "integer",
"created_at": "string (ISO 8601 timestamp)"
}Example
Request
curl "https://scanmalware.com/api/v1/tls/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"subject_common_name": "secure.example.com",
"subject_organization": "Example Corp",
"issuer_common_name": "GeoTrust RSA CA 2018",
"issuer_organization": "DigiCert Inc",
"not_before": "2025-01-01T00:00:00+00:00",
"not_after": "2026-01-01T23:59:59+00:00",
"is_valid": true,
"is_expired": false,
"days_until_expiry": 245,
"validity_period_days": 365,
"key_algorithm": "RSA",
"key_size": 2048,
"fingerprint_sha256": "e070c3e6c13e9519d5501ee53129d3cdc5d5f305...",
"is_self_signed": false,
"is_wildcard": false,
"is_lets_encrypt": false,
"sans": {
"dns_names": ["secure.example.com", "www.example.com"],
"wildcards": [],
"risk_score": 0
},
"security_analysis": {
"findings": ["Certificate is valid", "Strong key size (2048 bits)"],
"warnings": []
},
"risk_score": 5,
"is_in_ct_logs": true,
"ct_certificate_count": 42,
"has_caa_records": true,
"caa_compliant": true,
"processing_time_ms": 1234,
"created_at": "2025-11-03T10:30:00.000000"
}GET
/api/v1/tls/{scan_id}/asn1TLS Certificate ASN.1 Structure
Get the raw ASN.1 (Abstract Syntax Notation One) structure of the TLS/SSL certificate. Returns detailed parsed structure and human-readable dump of all certificate fields, extensions, and encoded values.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"asn1_structure": {
"version": "string",
"serial_number": "string",
"signature_algorithm": {
"algorithm": "string (OID)",
"parameters": "string | null"
},
"issuer": "object",
"validity": {
"not_before": "string (ISO 8601)",
"not_after": "string (ISO 8601)"
},
"subject": "object",
"subject_public_key_info": {
"algorithm": "string (OID)",
"parameters": "string | null",
"public_key_size": "integer"
},
"extensions": "array of objects",
"signature_value_size": "integer"
},
"raw_asn1_dump": "string (formatted text)"
}Example
Request
curl "https://scanmalware.com/api/v1/tls/123e4567-e89b-12d3-a456-426614174000/asn1"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"asn1_structure": {
"version": "v3",
"serial_number": "227830333772454795620750445496253172213",
"signature_algorithm": {
"algorithm": "1.2.840.10045.4.3.2",
"parameters": null
},
"issuer": {
"country": "GB",
"organization": "Sectigo Limited",
"common_name": "Sectigo ECC Domain Validation Secure Server CA"
},
"validity": {
"not_before": "2025-02-05T00:00:00+00:00",
"not_after": "2026-02-05T23:59:59+00:00"
},
"subject": {
"common_name": "example.com"
},
"subject_public_key_info": {
"algorithm": "1.2.840.10045.2.1",
"parameters": null,
"public_key_size": 520
},
"extensions": [
{
"extn_id": "2.5.29.17",
"extn_name": "2.5.29.17",
"critical": false,
"extn_value": ["example.com", "www.example.com"]
}
],
"signature_value_size": 560
},
"raw_asn1_dump": "Certificate:\n Version: v3\n Serial Number: 227830333772454795620750445496253172213\n ..."
}GET
/api/v1/malware/{scan_id}Malware Detection Results
Get malware scan results including detected threats and infected resources
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"statistics": {
"total_resources": "integer",
"threats_detected": "integer",
"unique_threats": "integer",
"avg_scan_time": "number",
"total_bytes_scanned": "integer"
},
"resources": "array",
"threat_count": "integer",
"source": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/malware/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"statistics": {
"total_resources": 45,
"threats_detected": 2,
"unique_threats": 2,
"avg_scan_time": 0.125,
"total_bytes_scanned": 2456789
},
"resources": [
{
"url": "https://malicious-site.com/script.js",
"content_hash": "abc123...",
"content_type": "application/javascript",
"threat_detected": true,
"threat_name": "JS/Trojan.Agent",
"scan_time": 0.089
}
],
"threat_count": 2,
"source": "clamav"
}GET
/api/v1/malware/threats/recentRecent Malware Threats
Get recently detected malware threats across all public scans
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hours | integer | Optional | Hours to look back |
limit | integer | Optional | Maximum results |
Response
{
"threats": [
{
"scan_id": "string",
"url": "string",
"threat_name": "string",
"content_type": "string",
"detected_at": "string",
"scan_url": "string"
}
],
"total_threats": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/malware/threats/recent?limit=5"Response
{
"threats": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://infected-site.com/malware.js",
"threat_name": "JS/Phishing.Gen",
"content_type": "application/javascript",
"detected_at": "2025-09-19T10:30:00Z",
"scan_url": "https://infected-site.com"
}
],
"total_threats": 152
}GET
/api/v1/malware/statsMalware Detection Statistics
Get overall malware scanning statistics across the platform
Response
{
"total_scans_with_malware": "integer",
"total_malware_detections": "integer",
"unique_threats": "integer",
"most_common_threats": "array",
"detection_rate": "number",
"last_detection": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/malware/stats"Response
{
"total_scans_with_malware": 342,
"total_malware_detections": 1526,
"unique_threats": 89,
"most_common_threats": [
{"name": "JS/Phishing.Gen", "count": 234},
{"name": "Trojan.Generic", "count": 156},
{"name": "PUA.CoinMiner", "count": 98}
],
"detection_rate": 0.0234,
"last_detection": "2025-09-19T10:30:00Z"
}GET
/api/v1/reports/{scan_id}Get Scan Reports
Retrieve user-submitted reports for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
report_type | string | Optional | Filter by report type (safe, phishing, malware, etc.) |
Response
{
"scan_id": "string",
"reports": [
{
"id": "integer",
"report_type": "string",
"report_details": "string",
"created_at": "string",
"status": "string"
}
],
"total_reports": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/reports/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"reports": [
{
"id": 1,
"report_type": "phishing",
"report_details": "Category: Phishing & Credential Theft, Type: credential_harvesting",
"created_at": "2025-09-19T10:30:00Z",
"status": "pending"
}
],
"total_reports": 1
}GET
/api/v1/analyzers/{scan_id}Get Analyzer Results
Get security analyzer results for a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"risk_score": "integer",
"classification": "string",
"verdict": "string",
"risk_factors": "array",
"safety_factors": "array",
"confidence_percentage": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/analyzers/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"risk_score": 85,
"classification": "MALICIOUS",
"verdict": "High risk phishing site detected",
"risk_factors": [
"Suspicious login form",
"Recently registered domain",
"Known phishing kit detected"
],
"safety_factors": [],
"confidence_percentage": 92
}GET
/api/v1/analyzers/search/high-riskSearch High-Risk Scans
Search for scans with high security risk scores
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
min_risk_score | integer | Optional | Minimum risk score (0-100, default: 50) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Items per page (default: 20, max: 100) |
Response
{
"results": [
{
"scan_id": "string",
"url": "string",
"risk_score": "integer",
"classification": "string",
"submitted_at": "string"
}
],
"pagination": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/analyzers/search/high-risk?min_risk_score=75&limit=10"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://phishing-site.com",
"risk_score": 92,
"classification": "MALICIOUS",
"submitted_at": "2025-09-19T10:30:00Z"
}
],
"pagination": {
"page": 1,
"limit": 10,
"total_items": 47,
"total_pages": 5
}
}GET
/api/v1/analyzers/stats/overviewAnalyzer Statistics Overview
Get overall statistics from security analyzers
Response
{
"total_analyzed": "integer",
"classifications": {
"legitimate": "integer",
"suspicious": "integer",
"malicious": "integer"
},
"average_risk_score": "number",
"high_risk_count": "integer",
"last_analyzed": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/analyzers/stats/overview"Response
{
"total_analyzed": 15234,
"classifications": {
"legitimate": 12456,
"suspicious": 1892,
"malicious": 886
},
"average_risk_score": 23.4,
"high_risk_count": 342,
"last_analyzed": "2025-09-19T10:45:00Z"
}GET
/api/v1/ioc/{scan_id}IoC Threat Intelligence
Get IoC (Indicators of Compromise) threat intelligence matches for a scan Returns all matched malicious indicators (IPs and domains) that were found in the threat intelligence database. Args: scan_id: UUID of the scan Returns: JSON with IoC matches, summary, and metadata Raises: HTTPException: If scan_id is invalid or scan not found
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | The unique scan ID |
Response
{
"scan_id": "string",
"url": "string",
"scan_status": "string",
"submitted_at": "string",
"summary": {
"total_matches": "integer",
"unique_indicators": "integer",
"ip_matches": "integer",
"domain_matches": "integer",
"threat_types": "array",
"has_threats": "boolean"
},
"matches": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/ioc/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://example.com",
"scan_status": "completed",
"submitted_at": "2025-09-19T10:00:00Z",
"summary": {
"total_matches": 2,
"unique_indicators": 2,
"ip_matches": 1,
"domain_matches": 1,
"threat_types": ["phishing", "malware"],
"has_threats": true
},
"matches": [
{
"indicator": "192.168.1.100",
"indicator_type": "ip",
"threat_type": "malware",
"sources": ["abuse.ch", "blocklist.de"],
"context": {
"found_in": "network_request",
"location": "https://example.com/api/track"
}
}
]
}GET
/api/v1/ct/{domain}Certificate Transparency Logs
Get SSL/TLS certificates for a domain from Certificate Transparency logs
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to search (e.g., "example.com") |
Response
{
"domain": "string",
"certificates": [
{
"hash": "string",
"timestamp": "string",
"log": "string",
"issuer": "string",
"subject": "string",
"san": "array"
}
],
"total": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/ct/example.com"Response
{
"domain": "example.com",
"certificates": [
{
"hash": "abc123def456...",
"timestamp": "2025-09-19T10:00:00Z",
"log": "Google 'Argon2023' log",
"issuer": "DigiCert Inc",
"subject": "CN=*.example.com",
"san": ["*.example.com", "example.com"]
}
],
"total": 45
}GET
/api/v1/ct/similar/{domain}Similar Domain Certificates
Find certificates for similar or related domains (typosquatting detection)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The base domain to find similar domains for |
Response
{
"domain": "string",
"similar_domains": [
{
"domain": "string",
"similarity_score": "number",
"certificates_count": "integer",
"first_seen": "string",
"last_seen": "string"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/ct/similar/example.com"Response
{
"domain": "example.com",
"similar_domains": [
{
"domain": "examp1e.com",
"similarity_score": 0.92,
"certificates_count": 2,
"first_seen": "2025-08-15T10:00:00Z",
"last_seen": "2025-09-19T10:00:00Z"
},
{
"domain": "example-com.net",
"similarity_score": 0.85,
"certificates_count": 1,
"first_seen": "2025-09-01T10:00:00Z",
"last_seen": "2025-09-01T10:00:00Z"
}
]
}GET
/api/v1/ct/dns/{domain}DNS History from Certificates
Get DNS history and subdomains discovered via Certificate Transparency
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to get DNS history for |
Response
{
"domain": "string",
"subdomains": "array",
"dns_history": [
{
"hostname": "string",
"first_seen": "string",
"last_seen": "string",
"certificate_count": "integer"
}
]
}Example
Request
curl "https://scanmalware.com/api/v1/ct/dns/example.com"Response
{
"domain": "example.com",
"subdomains": [
"www.example.com",
"api.example.com",
"blog.example.com",
"mail.example.com"
],
"dns_history": [
{
"hostname": "www.example.com",
"first_seen": "2020-01-15T10:00:00Z",
"last_seen": "2025-09-19T10:00:00Z",
"certificate_count": 24
}
]
}GET
/api/v1/ct/ip/{ip}Certificates by IP Address
Find all certificates associated with an IP address
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip | string | Required | The IP address to search |
Response
{
"ip": "string",
"domains": [
{
"domain": "string",
"certificate_hash": "string",
"timestamp": "string",
"issuer": "string"
}
],
"total_certificates": "integer",
"unique_domains": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/ct/ip/93.184.216.34"Response
{
"ip": "93.184.216.34",
"domains": [
{
"domain": "example.com",
"certificate_hash": "abc123...",
"timestamp": "2025-09-19T10:00:00Z",
"issuer": "DigiCert Inc"
}
],
"total_certificates": 15,
"unique_domains": 3
}GET
/api/v1/ct/timeline/{domain}Certificate Timeline
Get certificate issuance timeline for a domain Shows when certificates were issued over time
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | |
days | integer | Optional | Limit timeline to certificates seen in the last N days. Omit to return full history. |
Example
Request
curl "https://scanmalware.com/api/v1/ct/timeline/example.com?days=90"Response
{
"domain": "example.com",
"timeline": [
{
"date": "2025-09-29T00:00:00.000Z",
"certificate_count": 4,
"unique_certificates": 2
},
{
"date": "2025-12-01T00:00:00.000Z",
"certificate_count": 3,
"unique_certificates": 1
}
],
"certificate_changes": [
{
"hash": "5a1b...",
"occurrences": 6,
"first_seen": "2025-09-29T08:14:32.000Z",
"last_seen": "2025-12-15T11:02:08.000Z"
}
],
"total_certificates": 7
}GET
/api/v1/jsfingerprints/search/fuzzy/{fuzzy_hash}Search by Fuzzy Hash (Detailed Results)
Search by SSDEEP fuzzy hash for finding code variants and modified scripts.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fuzzy_hash | string | Required | SSDEEP fuzzy hash |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array",
"total": "integer",
"search_type": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/fuzzy/96:aBcDeFg..."Response
{
"results": [...],
"total": 23,
"search_type": "fuzzy"
}GET
/api/v1/jsfingerprints/search/library/{library}Search by Library Name (Detailed Results)
Search JavaScript by detected library name. Returns all versions and occurrences.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
library | string | Required | Library name (e.g., jquery, react, vue) |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array",
"total": "integer",
"search_type": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/library/jquery"Response
{
"results": [...],
"total": 1234,
"search_type": "library"
}GET
/api/v1/jsfingerprints/search/library/{library}/version/{version}Search by Library + Version (Detailed Results)
Find specific library version usage. Essential for tracking vulnerable versions and CVE impact.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
library | string | Required | Library name |
version | string | Required | Library version |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array",
"total": "integer",
"search_type": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/library/jquery/version/3.6.0"Response
{
"results": [...],
"total": 567,
"search_type": "library_version"
}GET
/api/v1/jsfingerprint/library-inventoryLibrary Version Inventory
Get comprehensive catalog of all detected JavaScript library versions with usage statistics and prevalence data. Useful for dependency tracking, version auditing, and understanding library adoption across scanned sites.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
library | string | Optional | Filter to specific library (e.g., "jquery", "react") |
min_count | number | Optional | Minimum fingerprint count (default: 10) |
Response
{
"library_filter": "string | null",
"min_count": "number",
"total_library_versions": "number",
"library_versions": "array",
"note": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/library-inventory?library=jquery&min_count=100"Response
{
"library_filter": "jquery",
"min_count": 100,
"total_library_versions": 12,
"library_versions": [
{
"library_name": "jquery",
"version": "3.7.1",
"fingerprint_count": 1200,
"unique_scans": 1191,
"first_seen": "2025-10-11T19:11:50.534385Z",
"last_seen": "2025-11-05T10:28:25.392293Z"
},
{
"library_name": "jquery",
"version": "1.12.0",
"fingerprint_count": 585,
"unique_scans": 584,
"first_seen": "2025-10-09T14:13:17.983428Z",
"last_seen": "2025-11-04T06:23:14.504652Z"
}
],
"note": "This endpoint returns version inventory only. For vulnerability detection, integrate with CVE databases (NVD, Snyk, etc.)."
}GET
/api/v1/jsfingerprint/cdn/{cdn_type}CDN Search
Analyze JavaScript files delivered via specific CDNs. Includes cache status breakdown, top domains, and unpinned script detection.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
cdn_type | string | Required | CDN provider (e.g., 'cloudflare', 'fastly', 'akamai') |
cdn_cache_status | string | Optional | Cache status (HIT, MISS, STALE) |
unpinned_only | boolean | Optional | Only URLs without version pinning |
limit | integer | Optional | Max results |
Response
{
"cdn_type": "string",
"total_scripts": "number",
"unique_scans": "number",
"cache_status_breakdown": "object",
"top_domains": "array",
"unpinned_scripts_count": "number",
"scripts": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/cdn/cloudflare?limit=5"Response
{
"cdn_type": "cloudflare",
"total_scripts": 595,
"unique_scans": 487,
"cache_status_breakdown": {
"HIT": 423,
"MISS": 89,
"DYNAMIC": 83
},
"top_domains": [
{"domain": "cdn.example.com", "count": 142},
{"domain": "static.site.com", "count": 89}
],
"unpinned_scripts_count": 234,
"scripts": [
{
"fingerprint_id": 12350,
"scan_id": "550e8400-e29b-41d4-a716-446655440005",
"script_url": "https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js",
"cache_status": "HIT",
"created_at": "2025-09-21T10:00:00.000Z"
}
]
}GET
/api/v1/jsfingerprint/server/{server_type}Server Type Search
Find JavaScript files served by specific server types. Includes HTTP header analysis for server fingerprinting.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
server_type | string | Required | Server type (e.g., 'nginx', 'apache', 'cloudflare') |
include_headers | boolean | Optional | Include full HTTP headers |
limit | integer | Optional | Max results |
Response
{
"server_type": "string",
"total_scripts": "number",
"unique_scans": "number",
"scripts": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/server/nginx?limit=5"Response
{
"server_type": "nginx",
"total_scripts": 14804,
"unique_scans": 9872,
"scripts": [
{
"fingerprint_id": 12351,
"scan_id": "550e8400-e29b-41d4-a716-446655440006",
"script_url": "https://nginx-site.com/js/app.js",
"http_headers": {
"server": "nginx/1.21.0",
"content-type": "application/javascript"
},
"created_at": "2025-09-22T11:30:00.000Z"
}
]
}GET
/api/v1/jsfingerprint/obfuscatedObfuscation Search
Hunt for obfuscated JavaScript. Essential for malware detection. Supports score filtering, classification, and library exclusion.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
min_score | number | Optional | Minimum obfuscation score |
max_score | number | Optional | Maximum obfuscation score |
classification | string | Optional | Filter by classification |
exclude_libraries | boolean | Optional | Exclude known libraries |
min_code_length | integer | Optional | Minimum code size |
page | integer | Optional | Page number |
per_page | integer | Optional | Results per page |
Response
{
"total_matches": "number",
"filters_applied": "object",
"scripts": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/obfuscated?min_score=0.7&per_page=5"Response
{
"total_matches": 1,
"filters_applied": {
"min_score": 0.7,
"exclude_libraries": false
},
"scripts": [
{
"fingerprint_id": 12352,
"scan_id": "550e8400-e29b-41d4-a716-446655440007",
"script_url": "https://suspicious.com/obfuscated.js",
"obfuscation_score": 0.87,
"obfuscation_classification": "packed",
"library_detected": null,
"created_at": "2025-09-23T13:45:00.000Z"
}
]
}GET
/api/v1/jsfingerprint/patternsPattern-Based Search
Advanced pattern detection for security research. Finds scripts without library detection, CDN mismatches, and high entropy content.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
has_eval | boolean | Optional | Contains eval() calls |
has_crypto | boolean | Optional | Contains crypto operations |
has_websocket | boolean | Optional | Contains WebSocket usage |
high_entropy | boolean | Optional | High string entropy (suspicious) |
no_library | boolean | Optional | No library detected |
cdn_mismatch | boolean | Optional | CDN URL but no library detected |
limit | integer | Optional | Max results |
Response
{
"total_matches": "number",
"patterns_detected": "object",
"scripts": "array"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/patterns?no_library=true&limit=5"Response
{
"total_matches": 3,
"patterns_detected": {
"no_library": true,
"cdn_mismatch": false,
"high_entropy": false
},
"scripts": [
{
"fingerprint_id": 12353,
"scan_id": "550e8400-e29b-41d4-a716-446655440008",
"script_url": "https://unknown-origin.com/script.js",
"library_detected": null,
"entropy": 7.2,
"obfuscation_score": 0.65,
"created_at": "2025-09-24T15:00:00.000Z"
}
]
}GET
/api/v1/jsfingerprints/search/bundler/{bundler}Search by Bundler Type (Detailed Results)
Search by bundler type (webpack, rollup, vite, parcel). Useful for build tool analysis.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
bundler | string | Required | Bundler type |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array",
"total": "integer",
"search_type": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/bundler/webpack"Response
{
"results": [...],
"total": 3456,
"search_type": "bundler"
}POST
/api/v1/jsfingerprint/similar-by-hashML Similarity Search
Find similar scripts by providing content hash (not fingerprint ID). Use Case: Public malware detection without requiring existing fingerprint Performance: 100-500ms (indexed vector search) ML Model: 192-dimensional composite vector (post-strip-ML cut-over) - AST Features (128 dims, weight 5.0x) - Abstract syntax tree analysis - Hand-crafted Features (64 dims, weight 3.0x) - Code complexity metrics
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
content_sha256 | string | Required | SHA-256 hash of target script |
threshold | number | Optional | Similarity threshold 0.0-1.0 (default: 0.8) |
limit | number | Optional | Maximum results (default: 10, max: 100) |
exclude_exact_matches | boolean | Optional | Exclude identical hashes (default: false) |
Response
{
"query_hash": "string",
"query_fingerprint_id": "number",
"threshold": "number",
"results_count": "number",
"similar_fingerprints": "array",
"similarity_interpretation": "object"
}Example
Request
curl -X POST "https://scanmalware.com/api/v1/jsfingerprint/similar-by-hash" \
-H "Content-Type: application/json" \
-d '{
"content_sha256": "817ab96b9d8ea9bfed8fe579563f06c1b3f84acf951b272cc7508e15a3e4cf10",
"threshold": 0.7,
"limit": 5
}'Response
{
"query_hash": "817ab96b9d8ea9bfed8fe579563f06c1b3f84acf951b272cc7508e15a3e4cf10",
"query_fingerprint_id": 12345,
"threshold": 0.7,
"results_count": 5,
"similar_fingerprints": [
{
"fingerprint_id": 12355,
"similarity": 0.94,
"scan_id": "550e8400-e29b-41d4-a716-446655440010",
"script_url": "https://variant.com/modified.js",
"content_sha256": "different_hash",
"library_detected": "custom",
"obfuscation_score": 0.45,
"created_at": "2025-09-26T17:30:00.000Z"
}
],
"similarity_interpretation": {
"0.95-1.0": "Near-identical code",
"0.85-0.95": "Strong similarity",
"0.7-0.85": "Moderate similarity",
"below_0.7": "Low similarity"
}
}GET
/api/v1/scans/{scan_id}/jsfingerprintsList JavaScript Fingerprints for Scan
Get all JavaScript fingerprints for a specific scan with comprehensive analysis data including hashes, metrics, library detection, bundle analysis, obfuscation detection, and more. Returns 91 fields of fingerprinting data across multiple categories.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
include_functions | boolean | Optional | Include full function list (default: false) |
include_http_headers | boolean | Optional | Include HTTP header data (default: true) |
include_vectors_info | boolean | Optional | Include ML vector availability (default: true) |
Response
{
"scan_id": "string",
"total_scripts": "integer",
"fingerprints_count": "integer",
"fingerprints": "array of fingerprint objects with hashes, metrics, ml_vectors, library_detection, copyright, functions, module_info, cdn_info, bundle_analysis, http_headers, obfuscation"
}Example
Request
curl "https://scanmalware.com/api/v1/scans/550e8400-e29b-41d4-a716-446655440000/jsfingerprints"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"total_scripts": 5,
"fingerprints_count": 5,
"fingerprints": [
{
"id": 12345,
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"script_url": "https://example.com/app.js",
"hashes": {
"sha256": "817ab96b9d8ea9bfed8fe579563f06c1b3f84acf951b272cc7508e15a3e4cf10",
"normalized": "bd6ebc7a6b5a920a34ff16367d8dcf2ee0a83e625486f282d4ca76de03275fe7"
},
"metrics": {
"code_length": 45678,
"function_count": 234,
"complexity_score": 156
},
"library_detection": {
"detected": true,
"primary_library": "react",
"version": "18.2.0"
}
}
]
}GET
/api/v1/jsfingerprints/{fingerprint_id}Get Single JavaScript Fingerprint
Retrieve comprehensive analysis of a single JavaScript fingerprint by ID. Returns all 91 fields including 9 hash types, 12 code metrics, ML vector dimensions, library detection, copyright info, function analysis, module detection, CDN fingerprinting, bundle analysis, HTTP headers, and obfuscation metrics.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fingerprint_id | integer | Required | Fingerprint ID |
include_functions | boolean | Optional | Include full function list (default: false) |
include_http_headers | boolean | Optional | Include HTTP header data (default: true) |
Response
{
"id": "integer",
"scan_id": "string",
"script_url": "string",
"hashes": "object with sha256, normalized, function_composite, fuzzy, string_set, call_graph, import_hash, export_hash, dependency",
"metrics": "object with code_length, function_count, complexity_score, ast metrics",
"ml_vectors": "object with availability flags and dimensions for AST (128), handcrafted (64), composite (192). Legacy semantic-model fields (CodeBERT/GraphCodeBERT, 768d each) appear only on historical fingerprints.",
"library_detection": "object with detected, primary_library, version, confidence",
"copyright": "object with licenses, authors, version_from_header",
"functions": "object with function analysis",
"module_info": "object with module pattern, detected_modules",
"cdn_info": "object with cdn_type, is_cdn, cache data",
"bundle_analysis": "object with is_bundled, bundler_type, bundle_format",
"http_headers": "object with server, content_encoding, cache_control, CDN headers, CORS",
"obfuscation": "object with score, metrics, is_obfuscated, complexity"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/12345"Response
{
"id": 12345,
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"script_url": "https://example.com/app.js",
"hashes": {
"sha256": "817ab96b...",
"normalized": "bd6ebc7a...",
"fuzzy": "96:aBcD..."
},
"ml_vectors": {
"available": true,
"composite_vector_available": true,
"dimensions": {
"ast_features": 128,
"handcrafted": 64,
"composite": 192
}
}
}GET
/api/v1/jsfingerprints/{fingerprint_id}/similarFind Similar JavaScript Using ML
Find JavaScript files structurally similar to the given fingerprint using vector similarity. Uses a 192-dimensional composite vector combining AST features and code complexity metrics. Perfect for malware variant detection and code reuse analysis.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fingerprint_id | integer | Required | Fingerprint ID |
threshold | number | Optional | Minimum similarity score |
limit | integer | Optional | Maximum results |
offset | integer | Optional | Results offset for pagination |
exclude_same_scan | boolean | Optional | Exclude results from same scan |
Response
{
"query_fingerprint_id": "integer",
"query_script_url": "string",
"threshold": "float",
"results_count": "integer",
"similar_fingerprints": "array of objects with fingerprint_id, script_url, similarity, scan_id, library_detected, code_length, function_count"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/12345/similar?threshold=0.80&limit=20"Response
{
"query_fingerprint_id": 12345,
"threshold": 0.80,
"results_count": 15,
"similar_fingerprints": [
{
"fingerprint_id": 12355,
"similarity": 0.94,
"script_url": "https://variant.com/modified.js",
"scan_id": "550e8400-e29b-41d4-a716-446655440010",
"library_detected": "custom",
"code_length": 45890
}
]
}GET
/api/v1/jsfingerprints/search/sha256/{hash_value}Search by SHA-256 (Detailed Results)
Search JavaScript fingerprints by exact SHA-256 hash. Alternative endpoint to /jsfingerprint/search/sha256 with detailed fingerprint metadata.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | string | Required | SHA-256 hash value |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array of objects with scan_id, url, scanned_at, script_url, library_name, library_version, bundler_type, content_sha256",
"total": "integer",
"page": "integer",
"search_type": "string",
"search_value": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/sha256/817ab96b9d8ea9bfed8fe579563f06c1b3f84acf951b272cc7508e15a3e4cf10"Response
{
"results": [
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"url": "https://example.com",
"scanned_at": "2025-11-23T10:30:00.000Z",
"script_url": "https://example.com/app.js",
"library_name": "react",
"library_version": "18.2.0"
}
],
"total": 42,
"search_type": "sha256"
}GET
/api/v1/jsfingerprints/search/normalized/{hash_value}Search by Normalized Hash (Detailed Results)
Search by normalized SHA-256 hash (whitespace-independent). Finds functionally identical code with different formatting.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | string | Required | Normalized SHA-256 hash value |
limit | integer | Optional | Results per page (1-100, default: 50) |
offset | integer | Optional | Results offset (default: 0) |
Response
{
"results": "array",
"total": "integer",
"search_type": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/normalized/bd6ebc7a6b5a920a34ff16367d8dcf2ee0a83e625486f282d4ca76de03275fe7"Response
{
"results": [...],
"total": 87,
"search_type": "normalized"
}GET
/api/v1/jsfingerprints/statistics/bundlesGet Bundle Statistics
Get comprehensive statistics about bundled JavaScript usage including bundling rate, bundler type breakdown (webpack, rollup, etc.), bundle format distribution, and average sizes.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
Response
{
"total_fingerprints": "integer",
"bundled_count": "integer",
"bundled_percentage": "float",
"bundler_breakdown": "object mapping bundler type to count, percentage, average_size",
"format_breakdown": "object mapping bundle format to count, percentage"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/statistics/bundles"Response
{
"total_fingerprints": 10000,
"bundled_count": 7500,
"bundled_percentage": 75.0,
"bundler_breakdown": {
"webpack": {
"count": 5000,
"percentage": 66.7,
"average_size": 234567
}
}
}GET
/api/v1/jsfingerprints/statistics/librariesGet Library Statistics
Get comprehensive statistics about JavaScript library usage including detection rates, top libraries with version breakdowns, license information, and copyright statistics.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
min_count | integer | Optional | Minimum occurrences to include (default: 5) |
Response
{
"total_fingerprints": "integer",
"detection_rate": "float",
"top_libraries": "array of objects with name, count, percentage, versions breakdown",
"copyright_statistics": "object",
"license_breakdown": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/statistics/libraries?min_count=10"Response
{
"total_fingerprints": 10000,
"detection_rate": 65.5,
"top_libraries": [
{
"name": "jquery",
"count": 2500,
"percentage": 25.0,
"versions": {
"3.6.0": 1200,
"3.7.1": 800
}
}
]
}GET
/api/v1/jsfingerprints/hash-prevalence/{scan_id}Get Hash Prevalence for Scan
Get prevalence counts for all script hashes in a scan. Shows how many other scans contain matching content (exact SHA-256), normalized hash, and fuzzy hash availability. Helps identify commonly used libraries vs unique scripts.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan ID |
Response
{
"scan_id": "string",
"fingerprint_count": "integer",
"prevalence": "array of objects with fingerprint_id, script_url, exact_matches, normalized_matches, has_fuzzy_hash, interpretation"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/hash-prevalence/550e8400-e29b-41d4-a716-446655440000"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"fingerprint_count": 5,
"prevalence": [
{
"fingerprint_id": 123,
"script_url": "https://cdn.example.com/jquery.js",
"prevalence": {
"exact_matches": 2340,
"normalized_matches": 2345,
"interpretation": "very_common"
}
}
]
}GET
/api/v1/jsfingerprints/{fingerprint_id}/similarity-countsGet ML Similarity Counts by Algorithm
Get count of similar scripts for EACH ML algorithm separately. Returns similarity counts for: - CodeBERT (768-dim semantic code embedding) - GraphCodeBERT (768-dim graph-based embedding) - AST Features (128-dim structural metrics) - Handcrafted Features (64-dim complexity metrics) - Composite Vector (192-dim weighted combination of AST + handcrafted) Uses cosine similarity (1 - distance) where 1.0 = identical, 0.0 = opposite. **Performance Note**: Uses LIMIT-based counting for efficiency. Counts are capped at max_count. If count equals max_count, actual count may be higher (indicated by 'capped' flag). Composite vector search is optimized via HNSW index.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fingerprint_id | integer | Required | Fingerprint ID |
threshold | number | Optional | Minimum similarity score |
max_count | integer | Optional | Max count to return (for performance) |
Response
{
"fingerprint_id": "integer",
"threshold": "float",
"similarity_counts": "object with counts for semantic_a, semantic_b, ast_features, handcrafted_features, composite"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/12345/similarity-counts?threshold=0.85"Response
{
"fingerprint_id": 12345,
"threshold": 0.85,
"similarity_counts": {
"ast_features": {"count": 45, "dimension": 128},
"handcrafted_features": {"count": 38, "dimension": 64},
"composite": {"count": 12, "dimension": 192}
}
}GET
/api/v1/js-fingerprinter2/search/similar/{scan_id}Search Similar Behavioral Fingerprints
Find scans with similar behavioral fingerprints using weighted component comparison. Enables malware variant detection, code reuse identification, and obfuscated code matching using Call Pattern (35%), Characteristics (25%), Signature (15%), API Sequence (15%), Timing (5%), and Sequence Graph (5%).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan ID to find similar fingerprints |
min_similarity | float | Optional | Minimum similarity threshold (0.0-1.0, default: 0.90) |
limit | integer | Optional | Maximum number of results (1-500, default: 50) |
include_self | boolean | Optional | Include the query scan in results (default: false) |
Response
{
"query_scan_id": "string",
"query_fingerprint": "object with behavioral fingerprint data",
"threshold": "float",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, overall_risk, similarity, breakdown (component scores)",
"execution_time_ms": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/similar/550e8400-e29b-41d4-a716-446655440000?min_similarity=0.95&limit=20"Response
{
"query_scan_id": "550e8400-e29b-41d4-a716-446655440000",
"threshold": 0.95,
"matches_found": 8,
"matches": [
{
"scan_id": "650e8400-e29b-41d4-a716-446655440001",
"target_url": "https://similar.com",
"overall_risk": "high",
"similarity": 0.97,
"breakdown": {
"call_pattern": 0.98,
"characteristics": 0.96
}
}
],
"execution_time_ms": 156
}GET
/api/v1/js-fingerprinter2/search/composite-hash/{composite_hash}Search by Composite Hash
Find all scans with exact composite hash match. The composite hash is a SHA-256 hash of all behavioral data. Use for finding exact behavioral matches (same code, possibly obfuscated).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
composite_hash | string | Required | SHA-256 composite hash from behavioral fingerprint |
limit | integer | Optional | Maximum number of results (1-1000, default: 100) |
Response
{
"composite_hash": "string",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, overall_risk, created_at"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/composite-hash/abc123def456..."Response
{
"composite_hash": "abc123def456...",
"matches_found": 3,
"matches": [...]
}GET
/api/v1/js-fingerprinter2/search/stable-signature/{signature_hash}Search by Stable Behavioral Signature
Find all scans with matching stable behavioral signature. Stable signatures bucket API usage into categories (none/low/medium/high/very_high) and complexity into tiers, producing deterministic signatures that cluster similar behavior. Unlike composite hash (exact match), this groups scans with similar behavioral patterns even when exact call counts differ.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
signature_hash | string | Required | SHA-256 hash of the stable behavioral signature string |
limit | integer | Optional | Maximum number of results (1-1000, default: 100) |
Response
{
"stable_signature_hash": "string",
"stable_signature": "string (e.g. eval:yes|func_ctor:no|setTimeout:very_high|...)",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, overall_risk, stable_signature, created_at"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/stable-signature/94be021cf5bf..."Response
{
"stable_signature_hash": "94be021cf5bf...",
"stable_signature": "eval:no|func_ctor:no|setTimeout:none|setInterval:none|fetch:none|dom:no|docwrite:no|complexity:small|timing:none",
"matches_found": 13,
"matches": [...]
}GET
/api/v1/js-fingerprinter2/search/behavior-vector/similar/{scan_id}Search by Behavior Vector Similarity
Find scans with similar behavior vectors using L1 (Manhattan) distance. The 32-byte behavior vector encodes API usage intensity, code complexity, risk flags, call patterns, timing, and sequence topology. Returns scans ranked by continuous similarity score (0-1), enabling nearest-neighbor behavioral search even when stable signatures differ.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | UUID of the scan to find similar scans for |
min_similarity | float | Optional | Minimum similarity threshold 0-1 (default: 0.7) |
limit | integer | Optional | Maximum number of results (1-200, default: 50) |
Response
{
"scan_id": "string",
"target_vector": "string (64-char hex)",
"min_similarity": "float",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, overall_risk, stable_signature, similarity, created_at"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/behavior-vector/similar/4ddc4235-ef75-4f43-b97f-7ce96804270b?min_similarity=0.8&limit=10"Response
{
"scan_id": "4ddc4235-ef75-4f43-b97f-7ce96804270b",
"target_vector": "3a00ff7900005e00...",
"min_similarity": 0.8,
"matches_found": 5,
"matches": [
{"scan_id": "...", "similarity": 0.92, ...}
]
}GET
/api/v1/js-fingerprinter2/search/code-hash/{code_hash}Search by Code Hash
Find all scans containing scripts with exact code hash match. Allows finding identical scripts across different scans, even if served from different URLs. Useful for tracking script prevalence and identifying reused malicious code.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
code_hash | string | Required | SHA-256 hash of individual script code |
limit | integer | Optional | Maximum number of results (1-1000, default: 100) |
Response
{
"code_hash": "string",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, script_url, overall_risk, risk_score, created_at"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/code-hash/def456ghi789..."Response
{
"code_hash": "def456ghi789...",
"matches_found": 15,
"matches": [...]
}GET
/api/v1/js-fingerprinter2/search/signature/{signature}Search by Behavior Signature
Find scans with matching behavior signature. Signature format: eval:X|Function:Y|api:count|complexity. Example: eval:15|Function:3|setTimeout:45|medium. Use for quick search of scans with similar API usage patterns.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
signature | string | Required | Human-readable behavior signature |
limit | integer | Optional | Maximum number of results (1-1000, default: 100) |
Response
{
"signature": "string",
"matches_found": "integer",
"matches": "array of objects with scan_id, target_url, overall_risk, signature, characteristics, created_at"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/signature/eval:10|Function:2|medium"Response
{
"signature": "eval:10|Function:2|medium",
"matches_found": 7,
"matches": [...]
}GET
/api/v1/js-fingerprinter2/search/malware-familiesDetect Malware Families
Detect malware families by clustering scans with similar behavioral fingerprints. Uses composite hash + signature matching to group related scans. Use cases: malware family detection, campaign tracking, threat actor attribution, supply chain compromise detection.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
min_cluster_size | integer | Optional | Minimum scans per family (2-100, default: 2) |
similarity_threshold | float | Optional | Similarity threshold for clustering (0.0-1.0, default: 0.95) |
limit | integer | Optional | Maximum number of families to return (1-500, default: 50) |
Response
{
"families_found": "integer",
"total_scans_clustered": "integer",
"families": "array of objects with cluster_id, representative_scan_id, member_count, avg_similarity, composite_hash, signature, members array"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/malware-families?min_cluster_size=3"Response
{
"families_found": 12,
"total_scans_clustered": 456,
"families": [...]
}GET
/api/v1/js-fingerprinter2/search/fingerprint-coverageGet Fingerprint Coverage Statistics
Get statistics on behavioral fingerprint coverage. Shows how many scans have fingerprints enabled vs disabled, unique composite hashes, and unique signatures over the past 30 days.
Response
{
"total_scans": "integer",
"with_fingerprints": "integer",
"coverage_percentage": "float",
"unique_composite_hashes": "integer",
"unique_signatures": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/fingerprint-coverage"Response
{
"total_scans": 5000,
"with_fingerprints": 4500,
"coverage_percentage": 90.0,
"unique_composite_hashes": 1234
}GET
/api/v1/js-fingerprinter2/search/healthJS-Fingerprinter2 Health Check
Health check for JS-Fingerprinter2 search API
Response
{
"status": "string",
"service": "string",
"version": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/health"Response
{
"status": "healthy",
"service": "js-fingerprinter2-search-api",
"version": "1.0.0"
}GET
/api/v1/js-segments/scan/{scan_id}Get Code Segments by Scan ID
Get all code segments for a scan. Returns detailed information about all extracted functions, classes, and code blocks including segment type, function name, location, code snippet, hashes, risk score, library matches, and suspicious flags.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
script_url | string | Optional | Filter by specific script URL |
limit | integer | Optional | Maximum segments to return |
offset | integer | Optional | Pagination offset |
Response
{
"total_count": "integer",
"segments": "array of segment objects with type, function_name, location, code, hashes, risk_score, is_known_library",
"query_params": "object"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/scan/550e8400-e29b-41d4-a716-446655440000?limit=50"Response
{
"total_count": 234,
"segments": [...],
"query_params": {"scan_id": "...", "limit": 50}
}GET
/api/v1/js-segments/search/hash/{code_hash}Search Segments by Code Hash
Find all segments with matching exact code hash (SHA-256). Useful for finding identical code segments across different scans.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
code_hash | string | Required | SHA-256 code hash |
limit | integer | Optional | Maximum segments (1-1000, default: 100) |
offset | integer | Optional | Pagination offset (default: 0) |
Response
{
"total_count": "integer",
"segments": "array of segment objects ordered by created_at DESC"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/search/hash/abc123..."Response
{
"total_count": 15,
"segments": [...]
}GET
/api/v1/js-segments/search/normalized/{normalized_hash}Search Segments by Normalized Hash
Find all segments with matching normalized code hash. Normalized hashes remove whitespace and comments, enabling fuzzy matching of functionally identical code with different formatting.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
normalized_hash | string | Required | Normalized code hash (whitespace removed) |
limit | integer | Optional | Maximum segments (1-1000, default: 100) |
offset | integer | Optional | Pagination offset (default: 0) |
Response
{
"total_count": "integer",
"segments": "array of segment objects ordered by created_at DESC"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/search/normalized/def456..."Response
{
"total_count": 8,
"segments": [...]
}GET
/api/v1/js-segments/search/tlsh/{tlsh_hash}Search Segments by TLSH Similarity
Find code segments similar to a given TLSH hash using fuzzy matching. TLSH (Trend Micro Locality Sensitive Hash) enables finding code variants even when minified, variable-renamed, or slightly modified. Useful for detecting malware variants and code reuse across different sites.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
tlsh_hash | string | Required | TLSH hash to search (must start with "T1", min 70 chars) |
max_distance | integer | Optional | Maximum TLSH distance (0=identical, <50=similar, <100=related, default: 50) |
limit | integer | Optional | Maximum results (1-500, default: 100) |
include_known_libraries | boolean | Optional | Include segments from known libraries (default: false) |
Response
{
"query_hash": "string - The TLSH hash that was searched",
"max_distance": "integer - The distance threshold used",
"total_candidates_scanned": "integer - Number of segments with TLSH hashes checked",
"matches_found": "integer - Number of similar segments found",
"matches": "array of similar segment objects with tlsh_distance and similarity_score",
"tlsh_available": "boolean - Whether TLSH library is available"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/search/tlsh/T100D0A7CD7C917404351732BEC06B002B726A0F87144F0420E16804543E75638E727808?max_distance=50&limit=10"Response
{
"query_hash": "T100D0A7CD7C917404351732BEC06B002B726A0F87144F0420E16804543E75638E727808",
"max_distance": 50,
"total_candidates_scanned": 1161,
"matches_found": 1,
"matches": [
{
"segment_id": 312116,
"scan_id": "8105704a-ad40-4ee2-a466-8d9d4ebccd38",
"script_url": "https://ajax.googleapis.com/ajax/libs/jquery/3.6.3/jquery.min.js",
"function_name": "j",
"code_length": 215,
"code_snippet": "function j(e,n,r){return m(n)?E.grep(e,function...",
"tlsh_hash": "T100D0A7CD7C917404351732BEC06B002B726A0F87144F0420E16804543E75638E727808",
"tlsh_distance": 0,
"similarity_score": 1.0,
"risk_score": 25,
"is_known_library": false
}
],
"tlsh_available": true
}GET
/api/v1/js-segments/{scan_id}/unknownGet Unknown Code Segments
Identify segments not matching known libraries. Returns code segments that are not recognized as part of known JavaScript libraries. These are candidates for further malware analysis. Results ordered by risk score and code length.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
min_code_length | integer | Optional | Minimum code length to include (default: 50) |
limit | integer | Optional | Maximum segments (1-1000, default: 100) |
offset | integer | Optional | Pagination offset (default: 0) |
Response
{
"total_count": "integer",
"segments": "array of unknown segment objects ordered by risk_score DESC, code_length DESC"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/550e8400-e29b-41d4-a716-446655440000/unknown?min_code_length=100"Response
{
"total_count": 42,
"segments": [...]
}GET
/api/v1/js-segments/{scan_id}/suspiciousGet Suspicious Code Segments
Get high-risk segments that are not known libraries. Returns segments with elevated risk scores (indicating potential malicious code like eval usage, base64 encoding, high entropy, etc.). Results ordered by risk score.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
min_risk_score | integer | Optional | Minimum risk score (0-100, default: 60) |
limit | integer | Optional | Maximum segments (1-1000, default: 100) |
offset | integer | Optional | Pagination offset (default: 0) |
Response
{
"total_count": "integer",
"segments": "array of suspicious segment objects ordered by risk_score DESC"
}Example
Request
curl "https://scanmalware.com/api/v1/js-segments/550e8400-e29b-41d4-a716-446655440000/suspicious?min_risk_score=70"Response
{
"total_count": 5,
"segments": [...]
}POST
/api/v1/js-segments/differentialPerform Differential Analysis
Compare bundle segments against known library database. Analyzes all segments in a scan and identifies: 1) Which segments match known libraries (jQuery, React, etc.), 2) Which segments are unknown (potential malware), 3) Which unknown segments have high risk scores (suspicious). Returns a breakdown of library composition and unknown code.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID (in request body) |
min_confidence | float | Optional | Minimum library match confidence (0.0-1.0, default: 0.8, in request body) |
include_known_libraries | boolean | Optional | Include known libraries in analysis (default: false, in request body) |
Response
{
"scan_id": "string",
"total_segments": "integer",
"matched_segments": "integer",
"unknown_segments": "integer",
"suspicious_segments": "integer",
"library_breakdown": "object mapping library name to segment count",
"unknown_segment_details": "array of unknown segments (max 50)",
"suspicious_segment_details": "array of suspicious segments (max 50)"
}Example
Request
curl -X POST "https://scanmalware.com/api/v1/js-segments/differential" \
-H "Content-Type: application/json" \
-d '{"scan_id": "550e8400-e29b-41d4-a716-446655440000", "min_confidence": 0.85}'Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"total_segments": 234,
"matched_segments": 180,
"unknown_segments": 54,
"suspicious_segments": 8,
"library_breakdown": {
"jquery": 45,
"react": 89
},
"unknown_segment_details": [...],
"suspicious_segment_details": [...]
}GET
/api/v1/pcap/{scan_id}Download Packet Capture
Download the decrypted packet capture file for a scan. Returns a gzip-compressed PCAP file containing all HTTP/HTTPS traffic captured during the scan with TLS decrypted.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"content": "Binary gzip-compressed PCAP file",
"headers": "Content-Disposition with filename, X-Scan-Id, X-PCAP-Type"
}Example
Request
curl "https://scanmalware.com/api/v1/pcap/550e8400-e29b-41d4-a716-446655440000" -o scan.pcap.gzResponse
# Binary PCAP file downloaded
# Decompress with: gunzip scan.pcap.gz
# Analyze with: tcpdump -r scan.pcap or wireshark scan.pcapGET
/api/v1/pcap/{scan_id}/metadataGet Packet Capture Metadata
Get metadata about a packet capture file without downloading it. Useful for checking availability and file size before downloading.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"scan_id": "string",
"url": "string - The scanned URL",
"status": "string - \"completed\" when available",
"storage_path": "string - Storage path",
"file_size_bytes": "integer - Compressed file size",
"compressed": "boolean - Always true (gzip)",
"available": "boolean - Whether PCAP is available for download"
}Example
Request
curl "https://scanmalware.com/api/v1/pcap/550e8400-e29b-41d4-a716-446655440000/metadata"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"url": "https://example.com",
"status": "completed",
"storage_path": "55/0e/550e8400-e29b-41d4-a716-446655440000.pcap.gz",
"file_size_bytes": 245892,
"compressed": true,
"available": true
}GET
/api/v1/ids/alerts/{scan_id}Get IDS Alerts
Get network intrusion detection alerts for a scan. Returns Suricata IDS alerts triggered during the scan, including signature matches, severity levels, and network flow information.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"scan_id": "string",
"alert_count": "integer - Total number of alerts",
"alerts": "array of alert objects with severity, signature, category, protocol, IPs, ports"
}Example
Request
curl "https://scanmalware.com/api/v1/ids/alerts/550e8400-e29b-41d4-a716-446655440000"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"alert_count": 3,
"alerts": [
{
"severity": 1,
"signature_name": "ET MALWARE Possible Malicious Script Download",
"category": "A Network Trojan was detected",
"protocol": "TCP",
"src_ip": "192.168.1.1",
"src_port": 52431,
"dest_ip": "93.184.216.34",
"dest_port": 443,
"timestamp": "2025-12-02T10:30:00Z"
}
]
}GET
/api/v1/yara/statsYARA Malware Detection Statistics
Get overall YARA malware detection statistics including total detections, severity distribution, top threats, and detection trends. YARA scanner uses 3633 community rules from 15 repositories.
Response
{
"overall": {
"total_matches": "integer",
"scans_with_matches": "integer",
"unique_patterns": "integer",
"unique_threats": "integer",
"avg_confidence": "number"
},
"recent_24h": {
"matches_24h": "integer",
"scans_24h": "integer",
"patterns_24h": "integer"
},
"severity_distribution": "array",
"category_distribution": "array",
"top_threats": "array",
"timestamp": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/yara/stats"Response
{
"overall": {
"total_matches": 1543,
"scans_with_matches": 892,
"unique_patterns": 287,
"unique_threats": 145,
"avg_confidence": 0.87
},
"recent_24h": {
"matches_24h": 45,
"scans_24h": 28,
"patterns_24h": 12
},
"severity_distribution": [
{"severity": "critical", "count": 156},
{"severity": "high", "count": 432},
{"severity": "medium", "count": 687},
{"severity": "low", "count": 268}
],
"category_distribution": [
{"pattern_category": "cryptominer", "count": 234, "scan_count": 156},
{"pattern_category": "webskimmer", "count": 198, "scan_count": 132}
],
"top_threats": [
{
"pattern_name": "CoinHive Miner",
"severity": "high",
"category": "cryptominer",
"detection_count": 89,
"scan_count": 67,
"last_detected": "2025-01-07T14:23:00Z"
}
],
"timestamp": "2025-01-07T15:30:00.000Z"
}GET
/api/v1/yara/threats/recentRecent YARA Threat Detections
Get recently detected YARA threats across all scans, sorted by detection time. Useful for real-time threat monitoring and security intelligence.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hours | integer | Optional | Hours to look back (1-168, default: 24) |
limit | integer | Optional | Maximum results (1-1000, default: 100) |
Response
{
"threats": "array of threat objects",
"count": "integer",
"hours": "integer",
"timestamp": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/yara/threats/recent?hours=48&limit=50"Response
{
"threats": [
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"url": "https://example.com",
"rule_name": "webskimmer_magecart",
"pattern_name": "Magecart Payment Skimmer",
"category": "webskimmer",
"severity": "critical",
"threat_names": ["Magecart", "FormGrabber"],
"confidence": 0.95,
"detected_at": "2025-01-07T14:23:00Z"
}
],
"count": 23,
"hours": 48,
"timestamp": "2025-01-07T15:30:00.000Z"
}GET
/api/v1/yara/scan/{scan_id}YARA Matches for Scan
Get all YARA malware pattern matches for a specific scan. Returns matched rules with severity, threat names, CVE IDs, MITRE techniques, and matched strings.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"scan_id": "string",
"matches": "array of match objects",
"summary": {
"total_matches": "integer",
"critical": "integer",
"high": "integer",
"medium": "integer",
"low": "integer",
"categories": "object"
},
"timestamp": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/yara/scan/550e8400-e29b-41d4-a716-446655440000"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"matches": [
{
"match_id": 12345,
"rule_name": "cryptominer_coinhive",
"pattern_name": "CoinHive Cryptominer",
"category": "cryptominer",
"severity": "high",
"confidence": 1.0,
"description": "Detects CoinHive cryptocurrency mining code",
"threat_names": ["CoinHive", "Cryptominer"],
"cve_ids": [],
"mitre_techniques": ["T1496"],
"intel_references": ["https://..."],
"matched_strings": ["CoinHive.Anonymous", "cryptonight"],
"match_count": 3,
"tags": ["cryptominer", "browser-mining"],
"detected_at": "2025-01-07T14:23:00Z"
}
],
"summary": {
"total_matches": 2,
"critical": 0,
"high": 1,
"medium": 1,
"low": 0,
"categories": {
"cryptominer": 1,
"webskimmer": 1
}
},
"timestamp": "2025-01-07T15:30:00.000Z"
}GET
/api/v1/yara/{scan_id}YARA Matches (Legacy Endpoint)
Legacy alias for /api/v1/yara/scan/{scan_id}. Returns the same YARA malware pattern matches. Use the /scan/{scan_id} endpoint instead.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"scan_id": "string",
"matches": "array of match objects",
"summary": "object with counts by severity",
"timestamp": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/yara/550e8400-e29b-41d4-a716-446655440000"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"matches": [...],
"summary": {...},
"timestamp": "2025-01-07T15:30:00.000Z"
}GET
/api/v1/registrar/search/{registrar_name}Search Scans by Registrar
Find all scans from domains registered with a specific registrar. Uses fuzzy ILIKE matching for flexible searches. Results include domain, registrar, and scan metadata.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
registrar_name | string | Required | Registrar name (partial match supported) |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Results per page (1-100, default: 20) |
Response
{
"registrar_query": "string",
"total": "integer",
"page": "integer",
"limit": "integer",
"results": "array of scan objects",
"pagination": {
"total": "integer",
"page": "integer",
"limit": "integer",
"total_pages": "integer",
"has_next": "boolean",
"has_prev": "boolean"
}
}Example
Request
curl "https://scanmalware.com/api/v1/registrar/search/GoDaddy?page=1&limit=20"Response
{
"registrar_query": "GoDaddy",
"total": 234,
"page": 1,
"limit": 20,
"results": [
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"url": "https://example.com",
"domain": "example.com",
"title": "Example Domain",
"status": "completed",
"asn": "AS13335",
"submitted_at": "2025-01-07T14:23:00Z",
"screenshot_thumbnail": "https://..."
}
],
"pagination": {
"total": 234,
"page": 1,
"limit": 20,
"total_pages": 12,
"has_next": true,
"has_prev": false
}
}GET
/api/v1/tracking-keys/stats/topTop Tracking Keys Statistics
Get the most commonly used tracking keys by usage count. Includes Google Analytics, Facebook Pixel, and other privacy trackers. Optional filtering by tracker type.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
tracker_type | string | Optional | Filter by tracker type (e.g., "google_analytics", "facebook_pixel") |
limit | integer | Optional | Number of results (1-100, default: 20) |
Response
{
"tracker_type_filter": "string or null",
"limit": "integer",
"total_results": "integer",
"results": "array of tracking key objects with usage statistics"
}Example
Request
curl "https://scanmalware.com/api/v1/tracking-keys/stats/top?tracker_type=google_analytics&limit=10"Response
{
"tracker_type_filter": "google_analytics",
"limit": 10,
"total_results": 10,
"results": [
{
"tracker_type": "google_analytics",
"tracking_key": "UA-12345678-1",
"tracker_name": "Google Analytics (UA)",
"category": "analytics",
"site_count": 1234,
"first_seen": "2023-05-12T08:30:00Z",
"last_seen": "2025-01-07T14:23:00Z"
}
]
}GET
/api/v1/tracking-keys/by-scan/{scan_id}Tracking Keys for Scan
Get all tracking keys detected in a specific scan with usage statistics. Groups results by category and risk level.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"scan_id": "string",
"total_keys": "integer",
"total_unique_trackers": "integer",
"tracking_keys": "array of tracking key objects",
"by_category": "object with counts per category",
"has_high_risk": "boolean",
"has_medium_risk": "boolean"
}Example
Request
curl "https://scanmalware.com/api/v1/tracking-keys/by-scan/550e8400-e29b-41d4-a716-446655440000"Response
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"total_keys": 5,
"total_unique_trackers": 3,
"tracking_keys": [
{
"tracker_type": "google_analytics",
"tracker_name": "Google Analytics (UA)",
"tracking_key": "UA-12345678-1",
"category": "analytics",
"risk_level": "medium",
"detected_url": "https://www.google-analytics.com/analytics.js",
"site_count": 1234,
"first_seen": "2023-05-12T08:30:00Z",
"last_seen": "2025-01-07T14:23:00Z"
}
],
"by_category": {
"analytics": 2,
"advertising": 2,
"social": 1
},
"has_high_risk": false,
"has_medium_risk": true
}GET
/api/v1/tracking-keys/{tracker_type}/{key}Search Scans by Tracking Key
Find all public scans using a specific tracking key. Useful for tracking the spread of specific analytics IDs, pixels, or other identifiers across websites.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
tracker_type | string | Required | Tracker type (e.g., "google_analytics", "facebook_pixel") |
key | string | Required | The tracking key/ID to search for |
page | integer | Optional | Page number (default: 1) |
limit | integer | Optional | Results per page (1-100, default: 20) |
sort | string | Optional | Sort order: "latest" or "oldest" (default: "latest") |
Response
{
"tracker_type": "string",
"tracker_key": "string",
"metadata": "object with tracker info",
"results": "array of scan objects",
"pagination": "object with pagination info"
}Example
Request
curl "https://scanmalware.com/api/v1/tracking-keys/google_analytics/UA-12345678-1?page=1&limit=20"Response
{
"tracker_type": "google_analytics",
"tracker_key": "UA-12345678-1",
"metadata": {
"tracker_name": "Google Analytics (UA)",
"category": "analytics",
"risk_level": "medium",
"site_count": 1234,
"first_seen": "2023-05-12T08:30:00Z",
"last_seen": "2025-01-07T14:23:00Z"
},
"results": [
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"url": "https://example.com",
"final_url": "https://example.com/",
"title": "Example Site",
"submitted_at": "2025-01-07T14:23:00Z",
"detected_url": "https://www.google-analytics.com/analytics.js"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total_items": 1234,
"total_pages": 62,
"has_next": true,
"has_prev": false
}
}GET
/api/v1/netlog/{scan_id}Chrome Network Debug Log
Download Chrome net-log for detailed network-level debugging. Provides raw Chrome network log JSON with DNS lookups, socket connections, HTTP transactions, SSL handshakes, and more.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Response
{
"content": "Raw JSON network log (application/json)",
"headers": {
"Content-Disposition": "attachment; filename=netlog_{scan_id}.json"
}
}Example
Request
curl "https://scanmalware.com/api/v1/netlog/550e8400-e29b-41d4-a716-446655440000" -o netlog.jsonResponse
{
"constants": {
"logFormatVersion": 1,
"clientInfo": {
"numericVersion": "12800256",
"command_line": "..."
}
},
"events": [
{
"params": {
"source_dependency": {"id": 123, "type": "URL_REQUEST"}
},
"phase": 0,
"source": {"id": 456, "type": "HTTP_STREAM_JOB"},
"time": "123456789",
"type": "HTTP_TRANSACTION_SEND_REQUEST"
}
]
}GET
/api/v1/ns/{nameserver}Nameserver Domain Lookup
Search for all domains using a specific nameserver. Combines two data sources for maximum coverage: a primary zone-file dataset and a supplementary dataset of scanned domains with RDAP/WHOIS/DNS data. If the primary source returns fewer than 10 domains, the supplementary source is queried and unique domains are merged in. Args: nameserver: Nameserver to search for (e.g., "ns1.example.com") limit: Maximum results to return (default: 20, max: 1000) offset: Pagination offset (default: 0) index: Dataset to query ("latest", "ns_lookup", "zones", or specific dataset name) Returns: JSON with domains, metadata, and query stats. When supplementary data is merged, extra fields indicate how many domains were added. Raises: HTTPException: If both data sources fail
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
nameserver | string | Required | |
limit | integer | Optional | |
offset | integer | Optional | |
index | string | Optional |
Response
{
"nameserver": "string",
"total": "integer",
"domains": "array of domain strings",
"limit": "integer",
"offset": "integer"
}Example
Request
curl "https://scanmalware.com/api/v1/ns/ns1.cloudflare.com?limit=50"Response
{
"nameserver": "ns1.cloudflare.com",
"total": 15234,
"domains": [
"example.com",
"example.org",
"example.net"
],
"limit": 50,
"offset": 0
}GET
/api/v1/Root
API root endpoint
Example
Request
curl "https://scanmalware.com/api/v1/"Response
{
"name": "ScanMalware API",
"version": "1.0.0",
"status": "online",
"endpoints": {
"scan": "/api/v1/scan",
"bulk_scan": "/api/v1/scan/bulk",
"result": "/api/v1/result/{scan_id}",
"summary": "/api/v1/scan/{scan_id}/summary",
"recent": "/api/v1/recent",
"search": "/api/v1/search",
"batch_status": "/api/v1/scan/batch/{batch_id}",
"status_batch": "/api/v1/scan/status/batch",
"domain_scans": "/api/v1/domains/{domain}/scans",
"stats": "/api/v1/stats",
"screenshot": "/api/v1/screenshot/{scan_id}",
"screenshot_search": "/api/v1/screenshot/search",
"screenshot_duplicates": "/api/v1/screenshot/duplicates",
"screenshot_stats": "/api/v1/screenshot/stats",
"favicon_search": "/api/v1/favicon/search/{mmh3_hash}",
"favicon_stats": "/api/v1/favicon/stats",
"health": "/api/v1/health"
},
"features": [
"Single URL scanning",
"Bulk/batch scanning",
"HTTP transaction analysis",
"Redirect chain detection",
"Security verdict scoring",
"SSL/TLS certificate analysis",
"Tracker detection & analytics",
"Technology fingerprinting",
"Domain-based scan history",
"Comprehensive screenshot hashing (6 algorithms)",
"Reverse image search & similarity detection",
"Duplicate screenshot detection",
"Favicon MMH3 hashing & search",
"Website clustering by favicon",
"Webhook notifications (planned)"
]
}GET
/api/v1/modules/pingHealth Check
Basic health check endpoint - No authentication required Returns simple status for uptime monitoring
Example
Request
curl "https://scanmalware.com/api/v1/modules/ping"Response
{
"status": "ok",
"service": "module_monitoring",
"timestamp": "2026-05-05T11:10:31.456131+00:00"
}GET
/api/v1/rssGet Rss Feed
RSS feed of latest public scans (cached for 60 seconds)
Example
Request
curl "https://scanmalware.com/api/v1/rss"Response
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:ns0="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>ScanMalware.com - Latest Scans</title><link>https://scanmalware.com</link><description>Latest public URL security scans from ScanMalware.com</description><language>en-us</language><ns0:link href="https://scanmalware.com/api/v1/rss" rel="self" type="application/rss+xml" /><item><title>🟢 https://perso.pbandai-glb.com</title><link>https://scanmalware.com/result/1999d08c-d374-4ecc-98d0-da2db2c22a96</link><guid isPermaLink="true">https://scanmalw
... [truncated]GET
/api/v1/og/{scan_id}Get Og Metadata
Get Open Graph metadata for a scan (lightweight endpoint for link previews)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required |
Example
Request
curl "https://scanmalware.com/api/v1/og/123e4567-e89b-12d3-a456-426614174000"Response
{
"og:title": "Security Scan: Home - Higley Unified School District 60",
"og:description": "\u2705 Low Risk - https://husd.org",
"og:url": "https://scanmalware.com/result/123e4567-e89b-12d3-a456-426614174000",
"og:type": "website",
"og:site_name": "ScanMalware.com",
"og:image": "https://scanmalware.com/api/v1/screenshot/123e4567-e89b-12d3-a456-426614174000.png",
"og:image:width": "1920",
"og:image:height": "993",
"og:image:alt": "Screenshot of https://husd.org",
"twitter:card": "summary_large_image",
"twitter:title": "Security Scan: Home - Higley Unified School District 60",
"twitter:description": "\u2705 Low Risk - https://husd.org",
"twitter:image": "https://scanmalware.com/api/v1/screenshot/123e4567-e89b-12d3-a456-426614174000.png",
"scan_type": "public"
}GET
/api/v1/result/{scan_id}/progressGet Scan Progress Endpoint
Get current scan progress for frontend progress bar
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required |
Example
Request
curl "https://scanmalware.com/api/v1/result/123e4567-e89b-12d3-a456-426614174000/progress"Response
{
"current_step": 8,
"total_steps": 8,
"step_name": "Completed",
"percentage": 100,
"status": "completed"
}GET
/api/v1/reports/{scan_id}/countsGet Scan Report Counts
Get vote counts for a specific scan (public endpoint, cached for 60 seconds)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan ID |
Example
Request
curl "https://scanmalware.com/api/v1/reports/123e4567-e89b-12d3-a456-426614174000/counts"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"thumbs_up": 0,
"thumbs_down": 0,
"total": 0
}POST
/api/v1/reportSubmit User Report
Submit a report about a scanned URL Rate Limits: - Maximum {REPORT_RATE_LIMIT_PER_IP} reports per IP per hour - Maximum {REPORT_RATE_LIMIT_PER_SCAN} reports per scan Report types: - positive_feedback: Positive feedback (helpful/accurate scan) - phishing: Phishing website - spam: Spam or unwanted content - counterfeit: Selling counterfeit goods - scam: Scam website - broken_scan: Scan failed or incomplete - malware: Contains malware - illegal_content: Illegal content - copyright: Copyright violation - technical_issue: Technical issue with scan - other: Other issue (provide details)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan ID to report |
report_type | string | Required | |
report_details | string | Optional | Additional details, especially for 'other' category |
captcha_answer | string | Optional | Captcha answer |
captcha_token | string | Optional | Captcha token |
skip_captcha | string | Optional | Skip captcha for positive feedback |
Response
{
"status": "string",
"report_id": "integer",
"scan_id": "string"
}Example
Request
curl -X POST "https://scanmalware.com/api/v1/report" \
-H "Content-Type: application/json" \
-d '{"scan_id": "123e4567-e89b-12d3-a456-426614174000", "report_type": "phishing", "description": "Spoofed login page targeting Microsoft accounts"}'Response
{
"status": "ok",
"report_id": 4827,
"scan_id": "123e4567-e89b-12d3-a456-426614174000"
}GET
/api/v1/scan-statisticsGet Scan Statistics
Get pre-computed scan statistics from materialized view. Performance: 18-31x faster than individual COUNT(*) queries - Old: 14-22ms per COUNT(*) query - New: 0.7-0.8ms for all statistics Returns comprehensive scan statistics including: - Total scans and breakdown by status - Scans by type (public/private/api) - Time-based counts (24h, 7d, 30d) - Last updated timestamp
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics"Response
{
"total_scans": 331968,
"completed_scans": 302491,
"pending_scans": 0,
"processing_scans": 1,
"failed_scans": 2865,
"public_scans": 331703,
"private_scans": 35,
"api_scans": 0,
"scans_last_24h": 1494,
"scans_last_7d": 10733,
"scans_last_30d": 44830,
"last_updated": "2026-03-26T10:15:02.024833+00:00",
"completion_rate": 91.12,
"failure_rate": 0.86,
"data_age_seconds": 3459322,
"data_age_minutes": 57655.4
}GET
/api/v1/scan-statistics/quickGet Quick Stats
Get ultra-fast overview statistics. Performance: Sub-millisecond response time Returns only the most essential counts for dashboard overview.
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics/quick"Response
{
"total_scans": 331968,
"completed_scans": 302491,
"scans_last_24h": 1494,
"last_updated": "2026-03-26T10:15:02.024833+00:00"
}GET
/api/v1/scan-statistics/dashboardGet Dashboard Stats
Get comprehensive statistics optimized for dashboard display. Performance: 0.7-0.8ms (vs 50+ ms for multiple COUNT(*) queries) Returns all statistics in a dashboard-friendly format with computed percentages, rates, and time-based breakdowns.
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics/dashboard"Response
{
"overview": {
"total_scans": 331968,
"completed_scans": 302491,
"completion_rate_pct": 91.12,
"last_updated": "2026-03-26T10:15:02.024833+00:00"
},
"by_status": {
"completed": 302491,
"pending": 0,
"processing": 1,
"failed": 2865
},
"by_type": {
"public": 331703,
"private": 35,
"api": 0
},
"time_periods": {
"last_24h": 1494,
"last_7d": 10733,
"last_30d": 44830,
"older_than_30d": 287138
},
"rates": {
"avg_per_day_last_7d": 1533.3,
"avg_per_day_last_30d": 1494.3,
"failure_rate_pct": 0.86
},
"metadata": {
"data_updated_at": "2026-03-26T10:15:02.024833+00:00",
"refresh_interval": "hourly (at :15)"
}
}GET
/api/v1/scan-statistics/by-statusGet Stats By Status
Get scan counts grouped by status. Returns breakdown of scans by their current status (completed, pending, processing, failed).
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics/by-status"Response
{
"completed_scans": 302491,
"pending_scans": 0,
"processing_scans": 1,
"failed_scans": 2865,
"total_scans": 331968,
"completed_pct": 91.12,
"pending_pct": 0.0,
"processing_pct": 0.0,
"failed_pct": 0.86
}GET
/api/v1/scan-statistics/by-typeGet Stats By Type
Get scan counts grouped by type. Returns breakdown of scans by type (public, private, api).
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics/by-type"Response
{
"public_scans": 331703,
"private_scans": 35,
"api_scans": 0,
"total_scans": 331968,
"public_pct": 99.92,
"private_pct": 0.01,
"api_pct": 0.0
}GET
/api/v1/scan-statistics/time-periodsGet Stats By Time
Get scan counts by time period. Returns counts for different time windows (24 hours, 7 days, 30 days) and total.
Example
Request
curl "https://scanmalware.com/api/v1/scan-statistics/time-periods"Response
{
"scans_last_24h": 1494,
"scans_last_7d": 10733,
"scans_last_30d": 44830,
"total_scans": 331968,
"scans_last_7d_excl_24h": 9239,
"scans_last_30d_excl_7d": 34097,
"scans_older_than_30d": 287138,
"avg_per_day_last_24h": 1494,
"avg_per_day_last_7d": 1533.3,
"avg_per_day_last_30d": 1494.3
}GET
/api/v1/stats/capabilities/latestGet Latest Capabilities
Get latest detection capabilities report from JSONL file
Example
Request
curl "https://scanmalware.com/api/v1/stats/capabilities/latest"Response
{
"date": "2026-05-05",
"generated_at": "2026-05-05T05:00:07.702066Z",
"detection_capabilities": {
"ioc_indicators": 3013559,
"malware_detection_rules": 82126,
"clamav_signatures": 3642553,
"total": 6738238
},
"breakdown": {
"ioc_indicators": {
"maltrail_ips": 41744,
"maltrail_domains": 1562567,
"threatfox": 154168,
"malware_report": 4488,
"misp": 1250592
},
"malware_detection_rules": {
"yara_rules": 32078,
"yara_repositories": 12,
"suricata_ids_rules": 50032,
"db_malware_patterns": 16
},
"clamav_signatures": {
"total": 3642553,
"version": "27991"
}
}
}GET
/api/v1/stats/capabilities/by-dateGet Capabilities By Date
Get detection capabilities for a specific date, or nearest date if no exact match
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_date | string | Required | Scan date in YYYY-MM-DD format |
Example
Request
curl "https://scanmalware.com/api/v1/stats/capabilities/by-date?scan_date=2026-05-01"Response
{
"date": "2026-05-01",
"generated_at": "2026-05-01T05:00:07.439885Z",
"detection_capabilities": {
"ioc_indicators": 2999404,
"malware_detection_rules": 82027,
"clamav_signatures": 3642543,
"total": 6723974
},
"breakdown": {
"ioc_indicators": {
"maltrail_ips": 40623,
"maltrail_domains": 1560575,
"threatfox": 152727,
"malware_report": 4488,
"misp": 1240991
},
"malware_detection_rules": {
"yara_rules": 32078,
"yara_repositories": 12,
"suricata_ids_rules": 49933,
"db_malware_patterns": 16
},
"clamav_signatures": {
"total": 3642543,
"version": "27987"
}
},
"matched": "exact"
}GET
/api/v1/search/smqlSmql Search
Search scans using the ScanMalware Query Language (SMQL). Syntax examples: - Simple text: `paypal login` - Filters: `domain:paypal.com`, `country:RU`, `technology:WordPress` - Boolean: `technology:WordPress AND country:RU` - Negation: `-domain:google.com` or `NOT domain:google.com` - Grouping: `(technology:WordPress OR technology:Joomla) AND country:CN` - Ranges: `js_risk_score:60..100`, `submitted:last7d` - Existence: `has:malware`, `has:pastejacking`
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
q | string | Required | SMQL query string |
page | integer | Optional | Page number |
limit | integer | Optional | Results per page |
sort | string | Optional | Sort order: newest, oldest, url, load_time, ip_count |
Example
Request
curl "https://scanmalware.com/api/v1/search/smql?q=domain%3Apaypal.com&limit=3"Response
{
"query": "domain:paypal.com",
"results": [
{
"scan_id": "d5f86fff-dc37-4561-89db-bab413dc7f88",
"url": "https://www.paypal.com/ncp/payment/VZ3GQBXNTS4MW",
"final_url": "https://www.paypal.com/ncp/payment/VZ3GQBXNTS4MW",
"title": "PayPal",
"status": "completed",
"submitted_at": "2026-04-27T17:01:48.541854",
"completed_at": "2026-04-27T17:03:01.588138",
"screenshot_url": "/api/v1/screenshot/d5f86fff-dc37-4561-89db-bab413dc7f88.png",
"primary_asn": null,
"asn_names": [
"Google LLC",
"Cloudflare, Inc.",
"Fastly, Inc."
],
"countries": [
"US",
"DE"
],
"ip_count": 5,
"load_time": 4.335993051528931
},
{
"scan_id": "25ddef90-e2c5-47df-bae4-2c06e40fbbc2",
"url": "https://paylalo.sviluppo.host/ge/DUVzTTavlOw/?redirection=login",
"final_url": "https://www.paypal.com/de/home",
"title": "PayPal Konto | Digitale Mobile Wallet | PayPal DE",
"status": "completed",
"submitted_at": "2026-04-26T15:27:21.335598",
"completed_at": "2026-04-26T15:28:18.536785",
"screenshot_url": "/api/v1/screenshot/25ddef90-e2c5-47df-bae4-2c06e40fbbc2.png",
"primary_asn": null,
"asn_names": [
"Google LLC",
"Host SpA",
"Cloudflare, Inc."
],
"countries": [
"IT",
"US"
],
"ip_count": 12,
"load_time": 4.966224670410156
},
// ... truncated ...
}GET
/api/v1/search/smql/filtersSmql Filters
Return all available SMQL filters grouped by category.
Example
Request
curl "https://scanmalware.com/api/v1/search/smql/filters"Response
{"filters":{"Core":[{"name":"url","type":"text","description":"URL (fuzzy match with trigram similarity)","store":"pg","examples":["paypal.com","*.bank.com","http://example.com"],"supports_comparison":false,"supports_wildcard":true,"supports_range":false,"enum_values":null},{"name":"domain","type":"text","description":"Extracted domain name","store":"pg","examples":["paypal.com","example.org"],"supports_comparison":false,"supports_wildcard":true,"supports_range":false,"enum_values":null},{"name":"title","type":"text","description":"Page title (substring match)","store":"pg","examples":["login"
... [truncated]GET
/api/v1/search/smql/statsSmql Stats
Return estimated total public scan count (from pg_class, essentially free).
Example
Request
curl "https://scanmalware.com/api/v1/search/smql/stats"Response
{
"total_scans": 387647
}GET
/api/v1/search/ip/{ip_address}/statsGet Ip Stats
Get detailed statistics and enrichment data for an IP address
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
ip_address | string | Required | IP address to get statistics for |
page | integer | Optional | Page number |
limit | integer | Optional | Items per page |
Example
Request
curl "https://scanmalware.com/api/v1/search/ip/93.184.216.34/stats"Response
{
"ip_address": "93.184.216.34",
"total_scans": 0,
"unique_urls": 0,
"first_seen": null,
"last_seen": null,
"geoip": null,
"asn": null,
"asn_org": null,
"country": null,
"city": null,
"state": null,
"bgp_data": null,
"dns_data": {
"domains": [
{
"domain": "clinical-uat.prod.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777978516
},
{
"domain": "iw-db-api.prod.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777975796
},
{
"domain": "grafana.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777975015
},
{
"domain": "inception-docs.prod.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777974088
},
{
"domain": "inference.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777970663
},
{
"domain": "inference.exs.rxrx.io",
"root": "rxrx.io",
"type": "A",
"ips": [
"93.184.216.34"
],
"timestamp": 1777970663
},
// ... truncated ...
}GET
/api/v1/technologies/bot-protection/{scan_id}Get Bot Protection
Get bot protection technologies detected in a specific scan
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required |
Example
Request
curl "https://scanmalware.com/api/v1/technologies/bot-protection/123e4567-e89b-12d3-a456-426614174000"Response
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"bot_protection": [
{
"name": "Cloudflare Bot Management",
"version": null,
"category": "wappalyzer",
"confidence": 55,
"detected_at": "2026-05-05T11:03:09.705276",
"website": null,
"description": null,
"details": {
"cpe": null,
"source": "wappalyzer",
"implies": [
"Cloudflare"
],
"detected_by": [
"headers",
"cookies"
],
"detection_details": [
{
"method": "headers",
"matches": [
{
"type": "presence",
"value": "9f6f3d09784adbc8-FRA",
"header": "cf-ray"
}
]
},
{
"method": "cookies",
"matches": [
{
"name": "cf_clearance",
"exists": true
}
]
}
],
"confidence_breakdown": {
"cookies": 15,
"headers": 40
}
}
}
],
"detected": true
}GET
/api/v1/rpki/{scan_id}Get Rpki Validation
Get RPKI validation results for a scan. Returns validation status (valid/invalid/not-found) for each server IP address, with ASN, covering prefix, and risk contribution.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required |
Response
objectExample
Request
curl "https://scanmalware.com/api/v1/rpki/123e4567-e89b-12d3-a456-426614174000"Response
{
"validations": [
{
"ip": "23.36.162.198",
"asn": 20940,
"as_name": "Akamai International B.V.",
"covering_prefix": "23.36.162.0/24",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "23.36.162.215",
"asn": 20940,
"as_name": "Akamai International B.V.",
"covering_prefix": "23.36.162.0/24",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "54.201.178.167",
"asn": 16509,
"as_name": "Amazon.com, Inc.",
"covering_prefix": "54.200.0.0/15",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "104.16.79.73",
"asn": 13335,
"as_name": "Cloudflare, Inc.",
"covering_prefix": "104.16.64.0/20",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "104.17.71.73",
"asn": 13335,
"as_name": "Cloudflare, Inc.",
"covering_prefix": "104.17.64.0/20",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "104.17.162.123",
"asn": 13335,
"as_name": "Cloudflare, Inc.",
"covering_prefix": "104.17.160.0/20",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "104.17.163.123",
"asn": 13335,
"as_name": "Cloudflare, Inc.",
"covering_prefix": "104.17.160.0/20",
"rpki_status": "valid",
"risk_contribution": 0
},
{
"ip": "104.17.164.123",
// ... truncated ...
}GET
/api/v1/segments/{segment_id}Get Segment
Get basic information about a JavaScript segment. Args: segment_id: The unique segment identifier Returns: Segment metadata including script URL, function name, code length, etc.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
segment_id | integer | Required | JavaScript segment ID |
Example
Request
curl "https://scanmalware.com/api/v1/segments/1"Response
{
"segment_id": 1,
"scan_id": "62a873c0-665d-47e9-9da9-e680dc9f8929",
"code_hash": "37b81c419f93d275bdcaa346d8f33121fda747c61a7eb8fa754760bbd95d364e",
"tlsh_hash": null,
"script_url": "(inline)",
"function_name": null,
"code_length": 102,
"code_snippet": "(() => {\n Object.defineProperty(navigator, 'webdriver', {\n get: () => undefined\n });\n })()",
"risk_score": 0,
"risk_factors": [],
"library_match": null,
"patterns": {
"entropy": 4.403796210347942,
"hasEval": false,
"hasBase64": false,
"hasWindow": false,
"codeLength": 102,
"hexEscapes": 0,
"hasDocument": false,
"hasUnescape": false,
"hasNavigator": false,
"octalEscapes": 0,
"hasCharCodeAt": false,
"unicodeEscapes": 0,
"bracketNotation": 0,
"suspiciousVarNames": 0,
"stringConcatenation": 0,
"hasFunctionConstructor": false
}
}GET
/api/v1/segments/{segment_id}/securityGet Segment Security
Get security analysis for a specific JavaScript segment. Returns malware pattern matches, risk assessment, and threat intelligence for the given segment ID. Args: segment_id: The unique segment identifier from js_segments table Returns: Security analysis including: - Malware pattern matches (YARA, custom patterns) - Risk score and severity - Pattern descriptions and recommendations - Threat categories
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
segment_id | integer | Required | JavaScript segment ID |
Example
Request
curl "https://scanmalware.com/api/v1/segments/1/security"Response
{
"segment_id": 1,
"scan_id": "62a873c0-665d-47e9-9da9-e680dc9f8929",
"script_url": "(inline)",
"function_name": null,
"code_length": 102,
"security": {
"risk_score": 0,
"severity": "NONE",
"total_matches": 0,
"average_confidence": 0,
"threat_categories": [],
"pattern_matches": [],
"static_risk_score": 0,
"risk_factors": [],
"library_match": null
}
}GET
/api/v1/tls/{scan_id}/certificate/downloadDownload Certificate
Download the TLS/SSL certificate in PEM format Returns the certificate as a downloadable .pem file that can be: - Imported into browsers/keychains - Inspected with OpenSSL (openssl x509 -in cert.pem -text -noout) - Used for verification and analysis Results are cached for 60 seconds (only when data exists).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required |
Example
Request
curl "https://scanmalware.com/api/v1/tls/123e4567-e89b-12d3-a456-426614174000/certificate/download"Response
-----BEGIN CERTIFICATE-----
MIIDhTCCAwqgAwIBAgISBkRX3ylv/RvcLkTm+bSYyaAaMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NzAeFw0yNjAzMTAxMDQ2MTZaFw0yNjA2MDgxMDQ2MTVaMBcxFTATBgNVBAMTDHd3
dy5odXNkLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNjJpke7lPyTGbOa
KG6WP8Bu8+FSWIEesCwxFksImmrCM5bXnwFzKyNzMazLYG6C1jhJ0T7RD3y+hKCy
8PI4wCmjggIZMIICFTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUstNgPWN3xfmbAVsGDr031koaeqAw
HwYDVR0jBBgwFoAUrkie3IcdRKBv2qLlYHQEeMKcAIAwMgYIKwYBBQUHAQEEJjAk
MCIGCCsGAQUFBzAChhZodHRwOi8vZTcuaS5sZW5jci5vcmcvMBcG
... [truncated]HEAD
/api/v1/screenshot/{scan_id}Screenshot Metadata (HEAD)
Issue a HEAD request to fetch screenshot metadata (Content-Type, Content-Length) without downloading the PNG body. Useful for cheaply checking whether a screenshot exists for a given scan.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | |
width | integer | Optional | Resize width (maintains aspect ratio) |
height | integer | Optional | Resize height (maintains aspect ratio) |
format | string | Optional | Output format: png or webp |
Response
Empty body; status 200 if the screenshot exists, 404 if not.Example
Request
curl -I "https://scanmalware.com/api/v1/screenshot/123e4567-e89b-12d3-a456-426614174000"Response
HTTP/2 200
content-type: image/png
content-length: 19049
cache-control: public, max-age=86400GET
/api/v1/js-fingerprinter2/{scan_id}Get Js Fingerprinter2 Results
Get JavaScript obfuscation detection results for a specific scan. Returns: Obfuscation analysis results including risk level, eval calls, and high-risk events Note: By default, detailed_events is excluded as it can be 10MB+ in size. Use ?include_detailed_events=true to include it.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID to retrieve obfuscation detection results for |
include_detailed_events | boolean | Optional | Include detailed_events field (can be very large, 10MB+) |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/123e4567-e89b-12d3-a456-426614174000"Response
{"scan_id":"123e4567-e89b-12d3-a456-426614174000","session_id":"session_1777978988437_u07bjp2ew","target_url":"https://www.husd.org/","scan_url":"https://husd.org","overall_risk":"critical","max_risk_score":100,"average_risk_score":85.67,"total_scripts":454,"eval_calls":0,"function_constructor_calls":4,"high_risk_events_count":3,"high_risk_events":[{"type":"static_analysis","score":95,"urlId":"u0","factors":["charcode_manipulation","excessive_concatenation","bracket_notation_abuse","excessive_escapes","high_entropy","suspicious_variable_names"],"timestamp":1777978991039,"codeSnippet":"/*! jQue
... [truncated]GET
/api/v1/js-fingerprinter2/{scan_id}/scriptsGet Js Fingerprinter2 Per Script
Get per-script behavioral fingerprint data from js_fingerprinter2. Aggregates detailed_events by script URL to provide per-script summaries of eval calls, Function constructor usage, risk scores, and obfuscation patterns. Returns: Dictionary keyed by script URL (or "(inline)") with behavioral summary per script.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID to retrieve per-script behavioral data for |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/123e4567-e89b-12d3-a456-426614174000/scripts"Response
{"scripts":{"u11":{"evalCalls":0,"functionCalls":0,"staticAnalyses":0,"exceptions":0,"maxRiskScore":0,"avgRiskScore":0,"patterns":[],"codeHash":null},"(inline)":{"evalCalls":0,"functionCalls":0,"staticAnalyses":56,"exceptions":0,"maxRiskScore":25,"avgRiskScore":11.6,"patterns":[{"entropy":4.403796210347942,"hasEval":false,"hasBase64":false,"hasWindow":false,"codeLength":102,"hexEscapes":0,"hasDocument":false,"hasUnescape":false,"hasNavigator":false,"octalEscapes":0,"hasCharCodeAt":false,"unicodeEscapes":0,"bracketNotation":0,"suspiciousVarNames":0,"stringConcatenation":0,"hasFunctionConstructo
... [truncated]GET
/api/v1/js-fingerprinter2/statsGet Js Fingerprinter2 Stats
Get aggregate statistics for obfuscation detection across all scans. Returns: Summary statistics including total scans analyzed, risk distribution, common patterns
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/stats"Response
{
"total_analyzed": 278741,
"risk_distribution": {
"critical": 97033,
"high": 12171,
"medium": 8290,
"low": 157759
},
"averages": {
"max_risk_score": 39.57,
"avg_risk_score": 32.2,
"scripts_per_scan": 137.53
},
"totals": {
"eval_calls": 1269858,
"function_constructor_calls": 1080534,
"high_risk_events": 536230
},
"last_analysis_at": "2026-05-05T11:08:39.049652+00:00"
}GET
/api/v1/js-fingerprinter2/search/js-obfuscationSearch Js Obfuscation
Search for scans with JavaScript obfuscation patterns. NOTE: This endpoint has been moved to /api/v1/search/js-obfuscation for consistency. Please use the new endpoint instead.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
risk_level | string | Optional | Filter by risk level: low, medium, high, critical |
min_risk_score | integer | Optional | Minimum risk score |
has_eval | boolean | Optional | Filter scans with eval() calls |
limit | integer | Optional |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinter2/search/js-obfuscation"Response
{"total":20,"filters":{"risk_level":null,"min_risk_score":null,"has_eval":null},"results":[{"scan_id":"92dd3cd3-464b-4c5b-88f4-cbffea1cfff2","url":"https://theearthlingco.com","target_url":null,"overall_risk":null,"max_risk_score":null,"average_risk_score":0,"total_scripts":null,"eval_calls":null,"function_constructor_calls":null,"high_risk_events_count":null,"screenshot_thumbnail":"minio://scanmalware-content/screenshots/92/dd/92dd3cd3-464b-4c5b-88f4-cbffea1cfff2.png","analyzed_at":"2026-05-04T21:08:19.096272+00:00","submitted_at":"2026-05-04T21:06:14.858115"},{"scan_id":"3e34e760-2606-4543-8
... [truncated]GET
/api/v1/jsfingerprint/hash/sha256/{hash}Search By Sha256
Find exact JavaScript content matches by SHA-256 hash. Use Case: Malware detection, code reuse tracking, supply chain security Performance: < 100ms (indexed lookup)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | Required | SHA-256 hash (64 hex characters) |
include_scans | boolean | Optional | Include scan references |
limit | integer | Optional | Max results |
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/hash/sha256/3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857?limit=3"Response
{
"hash_type": "sha256",
"hash_value": "3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857",
"total_matches": 1,
"unique_scans": 1,
"first_seen": "2026-05-05T11:03:25.735908Z",
"last_seen": "2026-05-05T11:03:25.735908Z",
"prevalence": "rare",
"date_range": {
"from": null,
"to": null
},
"matches": [
{
"fingerprint_id": 5037368,
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"code_length": 33725,
"function_count": 195,
"library_detected": null,
"library_version": null,
"is_bundled": null,
"bundler_type": null,
"is_cdn": false,
"cdn_type": null,
"obfuscation_score": null,
"created_at": "2026-05-05T11:03:25.735908Z"
}
],
"matches_truncated": false,
"performance": {
"query_time_note": "< 100ms typical",
"index_used": "idx_fp_content_hash"
}
}GET
/api/v1/jsfingerprint/hash/md5/{hash}Search By Md5
Find exact JavaScript content matches by MD5 hash. Use Case: Legacy hash lookups, malware detection, code reuse tracking Performance: < 100ms (indexed lookup)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | Required | MD5 hash (32 hex characters) |
include_scans | boolean | Optional | Include scan references |
limit | integer | Optional | Max results |
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/hash/md5/ca4877aaea6ea720336eaefcd4234c20?limit=3"Response
{
"hash_type": "md5",
"hash_value": "ca4877aaea6ea720336eaefcd4234c20",
"total_matches": 1,
"unique_scans": 1,
"first_seen": "2026-05-05T11:03:25.735908Z",
"last_seen": "2026-05-05T11:03:25.735908Z",
"prevalence": "rare",
"date_range": {
"from": null,
"to": null
},
"matches": [
{
"fingerprint_id": 5037368,
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"code_length": 33725,
"function_count": 195,
"library_detected": null,
"library_version": null,
"is_bundled": null,
"bundler_type": null,
"is_cdn": false,
"cdn_type": null,
"obfuscation_score": null,
"created_at": "2026-05-05T11:03:25.735908Z"
}
],
"matches_truncated": false,
"performance": {
"query_time_note": "< 100ms typical",
"index_used": "idx_fp_content_md5"
}
}GET
/api/v1/jsfingerprint/hash/sha1/{hash}Search By Sha1
Find exact JavaScript content matches by SHA-1 hash. Use Case: Legacy hash lookups, malware detection, code reuse tracking Performance: < 100ms (indexed lookup)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | Required | SHA-1 hash (40 hex characters) |
include_scans | boolean | Optional | Include scan references |
limit | integer | Optional | Max results |
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/hash/sha1/1c98781e6979d27fff01627d11123c95c7fb611b?limit=3"Response
{
"hash_type": "sha1",
"hash_value": "1c98781e6979d27fff01627d11123c95c7fb611b",
"total_matches": 1,
"unique_scans": 1,
"first_seen": "2026-05-05T11:03:25.735908Z",
"last_seen": "2026-05-05T11:03:25.735908Z",
"prevalence": "rare",
"date_range": {
"from": null,
"to": null
},
"matches": [
{
"fingerprint_id": 5037368,
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"code_length": 33725,
"function_count": 195,
"library_detected": null,
"library_version": null,
"is_bundled": null,
"bundler_type": null,
"is_cdn": false,
"cdn_type": null,
"obfuscation_score": null,
"created_at": "2026-05-05T11:03:25.735908Z"
}
],
"matches_truncated": false,
"performance": {
"query_time_note": "< 100ms typical",
"index_used": "idx_fp_content_sha1"
}
}GET
/api/v1/jsfingerprint/hash/normalized/{hash}Search By Normalized Hash
Find whitespace-independent code matches by normalized hash. Use Case: Detect minified/formatted variants of same code Performance: < 100ms (indexed lookup)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash | string | Required | Normalized hash (64 hex characters) |
include_scans | boolean | Optional | Include scan references |
limit | integer | Optional | Max results |
from_date | string | Optional | Start date (ISO 8601) |
to_date | string | Optional | End date (ISO 8601) |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/hash/normalized/501437d02dc4d96a6e2957c26796d3f6bdd8efd99fae777ceba7dd0a82832117?limit=3"Response
{
"hash_type": "normalized",
"hash_value": "501437d02dc4d96a6e2957c26796d3f6bdd8efd99fae777ceba7dd0a82832117",
"total_matches": 1,
"unique_scans": 1,
"first_seen": "2026-05-05T11:03:25.735908Z",
"last_seen": "2026-05-05T11:03:25.735908Z",
"prevalence": "rare",
"date_range": {
"from": null,
"to": null
},
"matches": [
{
"fingerprint_id": 5037368,
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"code_length": 33725,
"function_count": 195,
"library_detected": null,
"library_version": null,
"is_bundled": null,
"bundler_type": null,
"is_cdn": false,
"cdn_type": null,
"obfuscation_score": null,
"created_at": "2026-05-05T11:03:25.735908Z"
}
],
"matches_truncated": false,
"note": "Normalized hash ignores whitespace differences"
}GET
/api/v1/jsfingerprint/hash/fuzzy/{fuzzy_hash}Search By Fuzzy Hash
Find similar code using SSDEEP fuzzy hashing. Use Case: Detect obfuscated/modified variants of malware Performance: 500ms-2s (requires fuzzy comparison) Note: Full SSDEEP comparison requires external library - this endpoint does exact fuzzy_hash matches. For true fuzzy matching, SSDEEP library integration is required.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fuzzy_hash | string | Required | SSDEEP fuzzy hash |
min_similarity | integer | Optional | Minimum similarity percentage |
limit | integer | Optional | Max results |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/hash/fuzzy/12:adda3838eb7c650774c7b7ba21c497529bdaed20417ea37b7049a3108f3638239d0ce2f45925eda158b255c3377d68063ea991f330eaab4f8512d9b45344b90669fedcd027c31e0ee0a08623d38ceaa4c3839c9c72907a0adfe0e71b26ae0d324840c459bbc77a7e8ce03a8c5ff93542f33931fec101058e4ad35edf69dcd3d9255131e83ba6c276f65d4fbe48a8457e0b27bb72da1ca8f3d923aa33d5aa49a3b72a5b9021c49752a1fa32a14c65d0be728b8100618fb9f679a716adfaee4ca3cf8c1aca2c116e210626e244fa82a989b2e436a0dc32c2f122c1deff18e498ae93cd9c44bffaee77c18198ae617a4046ebb99ea1f3b5dd255421a3ac7547e538?limit=3"Response
{
"hash_type": "fuzzy_ssdeep",
"hash_value": "12:adda3838eb7c650774c7b7ba21c497529bdaed20417ea37b7049a3108f3638239d0ce2f45925eda158b255c3377d68063ea991f330eaab4f8512d9b45344b90669fedcd027c31e0ee0a08623d38ceaa4c3839c9c72907a0adfe0e71b26ae0d324840c459bbc77a7e8ce03a8c5ff93542f33931fec101058e4ad35edf69dcd3d9255131e83ba6c276f65d4fbe48a8457e0b27bb72da1ca8f3d923aa33d5aa49a3b72a5b9021c49752a1fa32a14c65d0be728b8100618fb9f679a716adfaee4ca3cf8c1aca2c116e210626e244fa82a989b2e436a0dc32c2f122c1deff18e498ae93cd9c44bffaee77c18198ae617a4046ebb99ea1f3b5dd255421a3ac7547e538",
"min_similarity": 50,
"total_matches": 1,
"matches": [
{
"fingerprint_id": 5037368,
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"code_length": 33725,
"function_count": 195,
"library_detected": null,
"library_version": null,
"is_bundled": null,
"bundler_type": null,
"is_cdn": null,
"cdn_type": null,
"obfuscation_score": null,
"created_at": "2026-05-05T11:03:25.735908Z",
// ... truncated ...
}GET
/api/v1/jsfingerprint/library/{library_name}Search By Library
Find all scripts using a specific JavaScript library. Use Case: Vulnerable library tracking, supply chain security Performance: 500ms-1s
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
library_name | string | Required | Library name (e.g., 'react', 'vue', 'jquery') |
version | string | Optional | Specific version (e.g., '16.13.1') |
version_pattern | string | Optional | Version wildcard (e.g., '16.*') |
min_confidence | number | Optional | Minimum detection confidence |
include_cdn_only | boolean | Optional | Filter to CDN-hosted only |
page | integer | Optional | Page number |
per_page | integer | Optional | Results per page |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/library/jquery"Response
{"library_name":"jquery","version_filter":null,"total_fingerprints":67152,"unique_scans":42300,"unique_urls":51678,"version_breakdown":{"3.7.1":16177,"unknown":8820,"1.13.3":3689,"3.5.1":3131,"3.6.0":3091,"2.2.4":1907,"3.7.0":1891,"1.12.4":1734,"1.11.3":1645,"1.12.0":1240,"3.3.1":1061,"3.4.1":1012,"3.6.1":967,"1.9.1":838,"3.6.3":819,"1.8.3":749,"1.12.1":740,"1.4.4":732,"1.11.1":630,"1.10.2":565},"cdn_distribution":{"self-hosted":64535,"jquery_cdn":1268,"googleapis":1022,"cdnjs":271,"microsoft":29,"jsdelivr":13,"github_pages":9,"cloudflare":3,"unpkg":2},"page":1,"per_page":50,"total_pages":1344
... [truncated]GET
/api/v1/jsfingerprint/library/{library}/version/{version}Search By Library Version
Find exact library+version combinations. Use Case: CVE tracking - find all scans using vulnerable version Performance: < 500ms
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
library | string | Required | Library name |
version | string | Required | Library version |
include_deprecated | boolean | Optional | Include old scans |
group_by_url | boolean | Optional | Group by unique URL |
limit | integer | Optional | Max results |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/library/jquery/version/3.6.0"Response
{"library":"jquery","version":"3.6.0","total_matches":3091,"returned_count":100,"fingerprints":[{"fingerprint_id":5036407,"scan_id":"4f87042a-bd95-4eda-bd64-d9813cbfcc3a","script_url":"https://d1v124mdoasvln.cloudfront.net/new_js/jquery-3.6.0.min.js","code_length":89501,"function_count":607,"library_detected":"jquery","library_version":"3.6.0","is_bundled":null,"bundler_type":null,"is_cdn":false,"cdn_type":null,"obfuscation_score":null,"created_at":"2026-05-05T09:44:51.752345Z"},{"fingerprint_id":5032786,"scan_id":"63157227-0ed8-458b-8a8b-aadf087ff95a","script_url":"https://www.zohowebstatic.c
... [truncated]GET
/api/v1/jsfingerprint/bundler/{bundler_type}Search By Bundler
Find scripts by bundler type. Use Case: Build tool analysis, supply chain security Performance: < 1s
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
bundler_type | string | Required | Bundler type (webpack, rollup, vite, parcel, esbuild) |
bundle_format | string | Optional | Bundle format (esm, cjs, umd, iife, amd) |
min_confidence | number | Optional | Minimum bundler detection confidence |
include_libraries | boolean | Optional | Include detected libraries |
page | integer | Optional | Page number |
per_page | integer | Optional | Results per page |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprint/bundler/webpack?limit=3"Response
{"bundler_type":"webpack","bundle_format_filter":null,"total_bundles":10893,"unique_scans":2990,"format_breakdown":{"unknown":9587,"cjs":666,"amd":345,"iife":260,"umd":31,"esm":4},"average_bundle_size":182344,"page":1,"per_page":50,"total_pages":218,"bundles":[{"fingerprint_id":5009791,"scan_id":"981db643-8769-468f-a13c-852e95d3afb3","script_url":"https://www.inspectionsupport.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=4.0.4","bundler_type":"webpack","bundle_format":null,"bundle_confidence":0.95,"code_length":5722,"created_at":"2026-05-04T07:49:01.558728Z","library_d
... [truncated]GET
/api/v1/jsfingerprints/search/md5/{hash_value}Search By Md5
Search JavaScript fingerprints by MD5 hash. Only searches public scans.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | string | Required | |
limit | integer | Optional | Results per page |
offset | integer | Optional | Results offset |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/md5/ca4877aaea6ea720336eaefcd4234c20?limit=3"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://husd.org",
"scanned_at": "2026-05-05T10:59:52.195772Z",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"library_name": null,
"library_version": null,
"bundler_type": null,
"content_sha256": "3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857",
"content_md5": "ca4877aaea6ea720336eaefcd4234c20",
"content_sha1": "1c98781e6979d27fff01627d11123c95c7fb611b",
"filename": "main.js"
}
],
"total": 1,
"page": 1,
"limit": 3,
"search_type": "md5",
"search_value": "ca4877aaea6ea720336eaefcd4234c20",
"context": {
"prevalence": "unique",
"prevalence_count": 1,
"prevalence_description": "Found in 1 scan. MD5 hash for cross-reference with threat intelligence databases. This is a unique script.",
"common_filenames": [
{
"filename": "main.js",
"count": 1,
"percentage": 100.0
}
],
"hash_types": {
"md5": "ca4877aaea6ea720336eaefcd4234c20",
"sha256": "3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857",
"sha1": "1c98781e6979d27fff01627d11123c95c7fb611b"
}
}
}GET
/api/v1/jsfingerprints/search/sha1/{hash_value}Search By Sha1
Search JavaScript fingerprints by SHA-1 hash. Only searches public scans.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
hash_value | string | Required | |
limit | integer | Optional | Results per page |
offset | integer | Optional | Results offset |
Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/search/sha1/1c98781e6979d27fff01627d11123c95c7fb611b?limit=3"Response
{
"results": [
{
"scan_id": "123e4567-e89b-12d3-a456-426614174000",
"url": "https://husd.org",
"scanned_at": "2026-05-05T10:59:52.195772Z",
"script_url": "https://www.husd.org/uploaded/themes/default_24/main.js?1763056584",
"library_name": null,
"library_version": null,
"bundler_type": null,
"content_sha256": "3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857",
"content_md5": "ca4877aaea6ea720336eaefcd4234c20",
"content_sha1": "1c98781e6979d27fff01627d11123c95c7fb611b",
"filename": "main.js"
}
],
"total": 1,
"page": 1,
"limit": 3,
"search_type": "sha1",
"search_value": "1c98781e6979d27fff01627d11123c95c7fb611b",
"context": {
"prevalence": "unique",
"prevalence_count": 1,
"prevalence_description": "Found in 1 scan. SHA-1 hash for cross-reference with legacy systems. This is a unique script.",
"common_filenames": [
{
"filename": "main.js",
"count": 1,
"percentage": 100.0
}
],
"hash_types": {
"sha1": "1c98781e6979d27fff01627d11123c95c7fb611b",
"sha256": "3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857",
"md5": "ca4877aaea6ea720336eaefcd4234c20"
}
}
}GET
/api/v1/jsfingerprints/{fingerprint_id}/sourceGet script source code
Retrieve the original JavaScript source code for a fingerprint from object storage
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
fingerprint_id | integer | Required | Fingerprint ID |
Response
{
"fingerprint_id": "integer",
"content_sha256": "string",
"script_url": "string",
"code_length": "integer",
"source": "string",
"retrieved_from": "string"
}Example
Request
curl "https://scanmalware.com/api/v1/jsfingerprints/5037368/source"Response
{"fingerprint_id":5037368,"content_sha256":"3f08ccfa3fe55172d853efc9d5673dffa359873e6199f8175d9ca853b3924857","script_url":"https://www.husd.org/uploaded/themes/default_24/main.js?1763056584","code_length":33725,"source":"/*! For license information please see main.js.LICENSE.txt */\nbuildinfo={buildname:\"fs-webpack-build\",ver:\"7.1.2\",template:\"newclientcustom\",FED:\"Savu Sebastian\",PM:\"Caitlin Hazelwood\",Designer:\"Kyle Taylor\"},function(){var e={420:function(){},470:function(e,t,n){\"use strict\";n.r(t);var a=n(586);!function(){if(void 0!==window.buildinfo){var e=document.getElemen
... [truncated]GET
/api/v1/js-fingerprinting3/canonical/{canonical_ast_hash}Search Canonical
Every script whose canonical AST hash matches — the same code structure even under identifier renaming (the obfuscation-resistant identity).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
canonical_ast_hash | string | Required | canonical_ast_hash |
limit | integer | Optional |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/canonical/{canonical_ast_hash}"Response
GET
/api/v1/js-fingerprinting3/content/{content_sha256}Search Content
Every scan where a byte-identical script appeared.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
content_sha256 | string | Required | content SHA-256 |
limit | integer | Optional |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/content/{content_sha256}"Response
GET
/api/v1/js-fingerprinting3/kit/{kit_id}Kit Detail
Kit metadata + every sighting recorded against it.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
kit_id | integer | Required | js_kit_roster.id |
limit | integer | Optional |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/kit/{kit_id}"Response
GET
/api/v1/js-fingerprinting3/kitsList Kits
All registered kits in the roster + a running sighting count per kit.
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/kits"Response
GET
/api/v1/js-fingerprinting3/scan/{scan_id}Fingerprints For Scan
All structural fingerprints recorded for one scan, enriched per row with corpus-wide prevalence counts (content_seen, canonical_seen) and a code- signature library match from known_library_segments (file-level, covering index idx_known_lib_lookup on code_hash). Frontend renders this as the middle tier between v1's library_detection and the URL-pattern fallback.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
scan_id | string | Required | Scan UUID |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/scan/{scan_id}"Response
GET
/api/v1/js-fingerprinting3/similar/{row_id}Search Similar
Structurally similar scripts — pgvector cosine ANN on the structural vector.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
row_id | integer | Required | js_fingerprinting3.id of the anchor |
limit | integer | Optional |
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/similar/{row_id}"Response
GET
/api/v1/js-fingerprinting3/statsStats
Coverage statistics for js-fingerprinting3.
Example
Request
curl "https://scanmalware.com/api/v1/js-fingerprinting3/stats"Response