Skip to main content

POST /api/ingest-http — Ingest HTTP Data

Import HTTP request/response data into the database for scanning. Supports multiple input formats. Headers:
HeaderRequiredDescription
Content-TypeYesMust be application/json
X-Project-UUIDNoProject UUID to scope the imported data. Falls back to the default project if omitted.
Request body:
FieldTypeRequiredDescription
input_modestringYesInput format (see modes below)
urlstringNoOverride URL (used as base URL for some modes)
contentstringNoRaw content (plaintext)
content_base64stringNoBase64-encoded content
http_request_base64stringNoBase64-encoded raw HTTP request (for burp_base64)
http_response_base64stringNoBase64-encoded raw HTTP response (for burp_base64)
Input modes:
ModeDescriptionContent field
urlSingle URLcontent
url_fileNewline-separated list of URLscontent
curlSingle curl commandcontent
burp_base64Base64 raw HTTP request (+response)http_request_base64
openapi / swaggerOpenAPI/Swagger spec (JSON or YAML)content
postman_collectionPostman Collection v2content
har / http_archiveHAR (HTTP Archive) 1.2 JSONcontent

Ingest a URL

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d '{
    "input_mode": "url",
    "content": "https://example.com/api/users?id=1"
  }' | jq .

Ingest a curl command

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d '{
    "input_mode": "curl",
    "content": "curl -X POST https://example.com/login -d \"user=admin&pass=test\""
  }' | jq .

Ingest a list of URLs

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d '{
    "input_mode": "url_file",
    "content": "https://example.com/page1\nhttps://example.com/page2\nhttps://example.com/page3"
  }' | jq .

Ingest a raw HTTP request (base64)

# Base64-encode a raw HTTP request
REQ_B64=$(echo -n "GET /api/users HTTP/1.1\r\nHost: example.com\r\n\r\n" | base64)

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d "{
    \"input_mode\": \"burp_base64\",
    \"http_request_base64\": \"$REQ_B64\"
  }" | jq .

Ingest a raw HTTP request with a URL hint (base64)

Raw HTTP requests don’t contain the scheme (https vs http) and the Host header alone may not reflect the actual target (e.g. behind a reverse proxy). Provide url alongside http_request_base64 so the parser can resolve the correct scheme and hostname. 
REQ_B64=$(echo -n "POST /api/login HTTP/1.1\r\nHost: internal-lb\r\nContent-Type: application/json\r\n\r\n{\"user\":\"admin\"}" | base64)

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d "{
    \"input_mode\": \"burp_base64\",
    \"url\": \"https://app.example.com\",
    \"http_request_base64\": \"$REQ_B64\"
  }" | jq .
The url field provides the scheme (https) and the public hostname (app.example.com), overriding whatever Host header appeared in the raw request.

Ingest a HAR file

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d "{
    \"input_mode\": \"har\",
    \"content_base64\": \"$(base64 < recording.har)\"
  }" | jq .

Ingest an OpenAPI spec

curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -d "{
    \"input_mode\": \"openapi\",
    \"content_base64\": \"$(base64 < openapi.json)\"
  }" | jq .
Response: 
{
  "project_uuid": "default",
  "imported": 15,
  "skipped": 0,
  "errors": [],
  "message": "imported 15 requests from OpenAPI spec"
}

Ingest into a specific project

Use the X-Project-UUID header to scope imported data to a project. If omitted, data is stored under the default project. 
curl -s -X POST http://localhost:9002/api/ingest-http \
  -H "Content-Type: application/json" \
  -H "X-Project-UUID: my-project-uuid" \
  -d '{
    "input_mode": "url",
    "content": "https://example.com/api/users"
  }' | jq .

{
  "project_uuid": "my-project-uuid",
  "imported": 1,
  "skipped": 0,
  "message": "imported 1 request from URL"
}