Scan Web Application Vulnerabilities
Run comprehensive vulnerability scans against web applications to identify security weaknesses.
Penetration Testing
AI-powered black-box pen testing
Black-box penetration testing for web apps — crawl the attack surface, scan for misconfigurations, and test for SQL injection, XSS, SSRF, and auth bypass with AI-generated payloads. Findings compile into a report with severity ratings, PoC evidence, and remediation guidance.
Reconnaissance
Crawl a target URL to map its attack surface. Discovers endpoints, forms, input parameters, authentication flows, and tech stack. Returns a session that subsequent test skills use.
Returns: Session object with attack surface map: endpoints, forms, auth flows, input surfaces, and tech stack
Parameters
target *stringTarget URL to scan (e.g. https://example.com)
max_pagesnumberMaximum pages to crawl (1-100)
max_depthnumberMaximum crawl depth (1-10)
timeout_msnumberPer-request timeout in ms (3000-30000)
crawl_timeout_msnumberTotal crawl wall-clock timeout in ms (30000-300000)
Example
Recon a web application
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "recon",
"input": {
"target": "https://example.com",
"max_pages": 30
}
}' \
https://api.toolrouter.com/v1/tools/callScan Vulnerabilities
Run vulnerability scans against the target including security header checks, exposed path detection, server version disclosure, and TLS analysis. Uses nuclei when available.
Returns: Vulnerability findings with severity distribution and evidence
Parameters
session_idstringSession ID from recon (or pass full session object)
sessionobjectFull session object from recon (preferred over session_id)
targetsarrayOverride target URLs (optional if session provided)
severitystringMinimum severity threshold
use_binarybooleanUse nuclei binary when available
timeout_msnumberPer-request timeout in ms
Example
Scan after recon
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "scan_vulnerabilities",
"input": {
"session_id": "scan_abc123",
"severity": "medium"
}
}' \
https://api.toolrouter.com/v1/tools/callTest Injection
AI-powered injection vulnerability testing. Uses LLM reasoning to generate context-aware SQL, NoSQL, and command injection payloads, execute them, and analyze responses. Requires authorization.
Returns: Confirmed injection findings with PoC payloads, request/response evidence, and remediation
Parameters
session_idstringSession ID from recon
sessionobjectFull session object from recon
authorized *booleanExplicit authorization to test this target (required: true)
target_endpointsarraySpecific endpoints to test (optional)
max_roundsnumberMax LLM reasoning rounds (1-20)
injection_typesarrayTypes to test: sql, nosql, command
Example
Test for SQL injection
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "test_injection",
"input": {
"session_id": "scan_abc123",
"authorized": true,
"injection_types": [
"sql"
]
}
}' \
https://api.toolrouter.com/v1/tools/callTest Cross-Site Scripting
AI-powered Cross-Site Scripting testing. Generates context-aware XSS payloads for HTML, attribute, and JavaScript contexts. Tests both reflected and stored XSS. Requires authorization.
Returns: Confirmed XSS findings with payloads, reflection context, and remediation
Parameters
session_idstringSession ID from recon
sessionobjectFull session object from recon
authorized *booleanExplicit authorization to test this target (required: true)
target_endpointsarraySpecific endpoints to test
max_roundsnumberMax LLM reasoning rounds (1-20)
xss_typesarrayTypes: reflected, stored
Example
Test for reflected XSS
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "test_xss",
"input": {
"session_id": "scan_abc123",
"authorized": true
}
}' \
https://api.toolrouter.com/v1/tools/callTest Authentication
AI-powered authentication and authorization testing. Tests for auth bypass, IDOR, privilege escalation, and session handling issues. Optionally accepts test credentials. Requires authorization.
Returns: Auth bypass, IDOR, and privilege escalation findings with evidence
Parameters
session_idstringSession ID from recon
sessionobjectFull session object from recon
authorized *booleanExplicit authorization to test this target (required: true)
credentialsobjectOptional test credentials for authenticated testing
max_roundsnumberMax LLM reasoning rounds (1-20)
Example
Test auth without credentials
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "test_auth",
"input": {
"session_id": "scan_abc123",
"authorized": true
}
}' \
https://api.toolrouter.com/v1/tools/callTest Server-Side Request Forgery
AI-powered Server-Side Request Forgery testing. Tests URL-accepting parameters for internal network access, cloud metadata exposure, and redirect-based SSRF. Requires authorization.
Returns: SSRF findings with payloads, internal info leakage evidence, and remediation
Parameters
session_idstringSession ID from recon
sessionobjectFull session object from recon
authorized *booleanExplicit authorization to test this target (required: true)
target_endpointsarraySpecific endpoints to test
max_roundsnumberMax LLM reasoning rounds (1-15)
Example
Test for SSRF
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "test_ssrf",
"input": {
"session_id": "scan_abc123",
"authorized": true
}
}' \
https://api.toolrouter.com/v1/tools/callGenerate Report
Compile all findings from a scan session into a structured penetration test report. Includes executive summary, severity distribution, PoC evidence, and remediation recommendations.
Returns: Full penetration test report in markdown or structured JSON
Parameters
session_idstringSession ID to generate report from
sessionobjectFull session object
formatstringReport output format
Example
Generate markdown report
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{
"tool": "pentest",
"skill": "generate_report",
"input": {
"session_id": "scan_abc123",
"format": "markdown"
}
}' \
https://api.toolrouter.com/v1/tools/callQuick Start
MCP (Claude Code)
claude mcp add --transport stdio \
--env TOOLROUTER_API_KEY=YOUR_API_KEY \
toolrouter -- npx -y toolrouter-mcpREST API
curl -H "Authorization: Bearer $TOOLROUTER_API_KEY" \
-d '{"tool":"pentest","skill":"recon","input":{}}' \
https://api.toolrouter.com/v1/tools/callUse Cases
Test API Security
Assess the security of REST APIs by testing authentication, authorization, input validation, and injection resistance.
Probe Security Headers
Check HTTP security headers across your web properties to identify missing protections like CSP, HSTS, and X-Frame-Options.
Run Automated Vulnerability Scans
Scan targets for known vulnerabilities using Nuclei's extensive template library.
Workflows
Full Security Assessment
Comprehensive security assessment combining infrastructure probing, vulnerability scanning, penetration testing, and CVE intelligence.
Compliance Security Audit
Audit systems against compliance frameworks using automated scanning, vulnerability checks, auth testing, and research.
Web Application Security Test
Crawl a web application, analyze HTTP security, test for injections, and document findings with screenshots.
Network Reconnaissance
Map the complete network attack surface through DNS enumeration, geolocation, service probing, and attack vector analysis.
Frequently Asked Questions
Do I need permission before running a test?
Yes. Only test systems you own or have explicit permission to assess.
What should I run first?
Start with `recon`. It maps the attack surface and creates the session used by the later tests.
What kinds of issues does it look for?
It covers injection, XSS, SSRF, authentication problems, misconfigurations, and related web app weaknesses.
How do I get a readable report?
Use `generate_report` at the end of the workflow. You can choose markdown for reading or JSON for structured output.