Templates API
The Templates API provides complete CRUD operations for managing both vulnerability templates and executive summary templates. You can create, read, update, delete templates, and perform bulk operations like CSV imports.
Key Features:
- Flexible CSV Import: Case-insensitive headers and automatic detection of extra fields
- Custom Fields: Any unknown CSV columns are automatically stored as extra fields
- Standard Field Support: All common vulnerability template fields supported
- Relationship Management: Automatic handling of categories and project type assignments
Vulnerability Templates API
Section titled “Vulnerability Templates API”Vulnerability templates are reusable finding templates that can be used to quickly create findings in projects.
List Vulnerability Templates
Section titled “List Vulnerability Templates”Get all vulnerability templates.
GET /api/v1/templates/vulnerabilitiesResponse:
{ "success": true, "data": [ { "id": 15, "title": "SQL Injection Template", "description": "Template for SQL injection vulnerabilities", "impact": "High", "probability": "Medium", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "cvss_score": 8.1, "poc": "1. Navigate to vulnerable parameter\n2. Inject SQL payload\n3. Observe database error", "risks": "Data breach, authentication bypass", "remediation": "Use parameterized queries", "categories": [ { "id": 1, "name": "Injection Attacks" } ], "created_at": "2024-03-15T10:30:00Z" } ], "total": 1}Get Vulnerability Template
Section titled “Get Vulnerability Template”Get a specific vulnerability template.
GET /api/v1/templates/vulnerabilities/{template_id}Response:
{ "success": true, "data": { "id": 15, "title": "SQL Injection Template", "description": "Comprehensive template for SQL injection vulnerabilities", "impact": "High", "probability": "Medium", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "cvss_score": 8.1, "poc": "1. Identify injection point\n2. Test with basic payloads\n3. Exploit with advanced techniques", "risks": "Complete database compromise, data exfiltration, authentication bypass", "remediation": "1. Use parameterized queries\n2. Implement input validation\n3. Apply principle of least privilege", "extra_fields": { "cwe_id": "CWE-89", "owasp_category": "A03:2021" }, "categories": [ { "id": 1, "name": "Injection Attacks" } ], "project_types": [ { "id": 1, "name": "Web Application" } ], "created_at": "2024-03-15T10:30:00Z", "updated_at": "2024-03-15T11:45:00Z" }}Create Vulnerability Template
Section titled “Create Vulnerability Template”Create a new vulnerability template.
POST /api/v1/templates/vulnerabilitiesRequest Body:
{ "title": "Cross-Site Scripting (XSS) Template", "description": "Template for XSS vulnerabilities", "impact": "Medium", "probability": "High", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "cvss_score": 6.1, "poc": "1. Find reflection point\n2. Test with basic XSS payload\n3. Bypass filters if present", "risks": "Session hijacking, credential theft, malicious content injection", "remediation": "1. Implement proper output encoding\n2. Use Content Security Policy\n3. Validate all user input", "extra_fields": { "cwe_id": "CWE-79", "owasp_category": "A03:2021" }, "categories": [2, 3], "project_types": [1]}Update Vulnerability Template
Section titled “Update Vulnerability Template”Update an existing vulnerability template.
PUT /api/v1/templates/vulnerabilities/{template_id}Delete Vulnerability Template
Section titled “Delete Vulnerability Template”Delete a vulnerability template.
DELETE /api/v1/templates/vulnerabilities/{template_id}Import Vulnerability Templates from CSV
Section titled “Import Vulnerability Templates from CSV”Import multiple vulnerability templates from a CSV file.
POST /api/v1/templates/vulnerabilities/import-csvRequest:
- Content-Type:
multipart/form-data - Body: Form data with
filefield containing the CSV file
Response:
{ "success": true, "message": "CSV import completed. 5 templates imported, 1 errors.", "data": { "success_count": 5, "error_count": 1, "errors": [ { "row": 3, "error": "Invalid impact level: extreme", "data": {...} } ], "imported_templates": [ { "row": 2, "id": 16, "title": "SQL Injection Template" } ] }}Get Vulnerability Templates CSV Field Mapping
Section titled “Get Vulnerability Templates CSV Field Mapping”Get information about the required CSV format for vulnerability templates.
GET /api/v1/templates/vulnerabilities/csv/field-mappingResponse:
{ "success": true, "data": { "field_mapping": { "title": "Template title/name", "description": "Detailed description of the vulnerability", "impact": "Impact level (Informational|Low|Medium|High|Critical)", "probability": "Probability level (Informational|Low|Medium|High|Critical)", "cvss": "CVSS vector string", "cvss_score": "CVSS score (0-10)", "poc": "Proof of concept steps", "risks": "Risk assessment and business impact", "remediation": "Remediation steps and recommendations", "categories": "Comma-separated vulnerability category IDs", "project_types": "Comma-separated project type IDs", "extra_fields": "JSON object with custom fields" }, "sample_csv": "title,impact,probability,description,poc,risks,remediation,cvss,cvss_score,categories,project_types,extra_fields\n..." }}Vulnerability Templates CSV Format
Section titled “Vulnerability Templates CSV Format”The CSV import system is flexible and case-insensitive, supporting multiple field name formats and automatic detection of extra fields.
Required Fields:
title(case-insensitive:Title,TITLE, etc.) - Template name
Standard Fields (all optional and case-insensitive):
description- Detailed descriptionimpact- Impact level:Informational,Low,Medium,High,Criticalprobability- Probability level:Informational,Low,Medium,High,Criticalcvss- CVSS vector stringcvss_score(orcvss score) - CVSS score (0-10)poc(orproof of concept) - Proof of concept stepsrisks- Risk assessmentremediation- Remediation guidancehttp_excerpts(orhttp excerpts) - HTTP request/response examplescategories- Comma-separated category IDsproject_types(orproject types) - Comma-separated project type IDs
Extra Fields (automatic detection):
Any field not in the standard list above will be automatically stored in the extra_fields JSON column. This includes:
- Custom fields like
References,CWE_ID,OWASP_Category - Fields defined in your PentestPad instance’s extra fields configuration
- Any other custom columns you add to your CSV
Case-Insensitive Support: All field names are matched case-insensitively. These all work the same way:
title,description,impact ✓Title,Description,Impact ✓TITLE,DESCRIPTION,IMPACT ✓Title,description,IMPACT ✓Sample CSV with Extra Fields:
title,description,impact,probability,cvss,poc,risks,remediation,References,CWE_ID,categories,project_types"SQL Injection Template","SQL injection vulnerability template",High,Medium,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","1. Find injection point\n2. Test payloads\n3. Exploit database","Data breach, authentication bypass","Use parameterized queries","https://owasp.org/www-community/attacks/SQL_Injection","CWE-89","1,2","1""XSS Template","Cross-site scripting template",Medium,High,"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","1. Find reflection\n2. Test XSS payload","Session hijacking, data theft","Implement output encoding","https://owasp.org/www-community/attacks/xss/","CWE-79","2,3","1"How Extra Fields Work:
ReferencesandCWE_IDcolumns will be automatically stored in theextra_fieldsJSON- The resulting template will have:
{"References": "https://owasp.org/...", "CWE_ID": "CWE-89"} - No need to manually format as JSON - the system handles this automatically
Executive Summary Templates API
Section titled “Executive Summary Templates API”Executive summary templates are used for generating executive summaries in reports.
List Executive Summary Templates
Section titled “List Executive Summary Templates”Get all executive summary templates.
GET /api/v1/templates/executiveResponse:
{ "success": true, "data": [ { "id": 5, "name": "Standard Web App Assessment", "content": "This executive summary provides an overview of the security assessment conducted on the web application...", "template_type": "executive_summary", "project_types": [ { "id": 1, "name": "Web Application" } ], "created_at": "2024-03-15T10:30:00Z" } ], "total": 1}Get Executive Summary Template
Section titled “Get Executive Summary Template”Get a specific executive summary template.
GET /api/v1/templates/executive/{template_id}Create Executive Summary Template
Section titled “Create Executive Summary Template”Create a new executive summary template.
POST /api/v1/templates/executiveRequest Body:
{ "name": "Mobile App Assessment Summary", "content": "This executive summary outlines the security assessment findings for the mobile application...", "template_type": "executive_summary", "project_types": [2]}Update Executive Summary Template
Section titled “Update Executive Summary Template”Update an existing executive summary template.
PUT /api/v1/templates/executive/{template_id}Delete Executive Summary Template
Section titled “Delete Executive Summary Template”Delete an executive summary template.
DELETE /api/v1/templates/executive/{template_id}Import Executive Summary Templates from CSV
Section titled “Import Executive Summary Templates from CSV”Import multiple executive summary templates from a CSV file.
POST /api/v1/templates/executive/import-csvRequest:
- Content-Type:
multipart/form-data - Body: Form data with
filefield containing the CSV file
Get Executive Summary Templates CSV Field Mapping
Section titled “Get Executive Summary Templates CSV Field Mapping”Get information about the required CSV format for executive summary templates.
GET /api/v1/templates/executive/csv/field-mappingExecutive Summary Templates CSV Format
Section titled “Executive Summary Templates CSV Format”Required Fields:
name- Template namecontent- Executive summary content
Optional Fields:
template_type- Template type (defaults to “executive_summary”)project_types- Comma-separated project type IDs
Sample CSV:
name,content,template_type,project_types"Web Application Executive Summary","This executive summary provides a comprehensive overview of the web application security assessment...","executive_summary","1""Mobile App Executive Summary","This summary outlines the security posture of the mobile application...","executive_summary","2""Network Assessment Summary","The network penetration test revealed several critical vulnerabilities...","executive_summary","3"Examples
Section titled “Examples”Import Vulnerability Templates with Standard Fields
Section titled “Import Vulnerability Templates with Standard Fields”curl -X POST \ -H "Authorization: Bearer your_api_key" \ -F "file=@vulnerability_templates.csv" \ https://your-instance.pentestpad.com/api/v1/templates/vulnerabilities/import-csvExample CSV file (vulnerability_templates.csv):
title,description,impact,probability,cvss,poc,risks,remediation,categories,project_types"SQL Injection","SQL injection in login form",High,Medium,"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","1. Go to /login\n2. Enter ' OR 1=1 --","Database compromise","Use prepared statements","1,2","1""XSS Vulnerability","Reflected XSS in search",Medium,High,"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","1. Enter <script>alert(1)</script>","Session hijacking","Sanitize input","2,3","1"Import with Extra Fields (Automatic Detection)
Section titled “Import with Extra Fields (Automatic Detection)”Example CSV with custom fields:
Title,Description,Impact,References,CWE_ID,OWASP_Category,Custom_Field,categories"SQL Injection Template","SQL injection vulnerability",High,"https://owasp.org/www-community/attacks/SQL_Injection","CWE-89","A03:2021 - Injection","Custom Value","1,2""XSS Template","Cross-site scripting vulnerability",Medium,"https://owasp.org/www-community/attacks/xss/","CWE-79","A03:2021 - Injection","Another Value","2,3"Result: The References, CWE_ID, OWASP_Category, and Custom_Field columns will be automatically stored in the extra_fields JSON:
{ "extra_fields": { "References": "https://owasp.org/www-community/attacks/SQL_Injection", "CWE_ID": "CWE-89", "OWASP_Category": "A03:2021 - Injection", "Custom_Field": "Custom Value" }}Case-Insensitive Headers Example
Section titled “Case-Insensitive Headers Example”All these CSV formats will work identically:
# Lowercasetitle,description,impact,proof of concept"SQL Injection","Description here",High,"PoC steps"
# Title CaseTitle,Description,Impact,Proof Of Concept"SQL Injection","Description here",High,"PoC steps"
# Mixed CaseTITLE,description,IMPACT,poc"SQL Injection","Description here",High,"PoC steps"Import Executive Summary Templates
Section titled “Import Executive Summary Templates”curl -X POST \ -H "Authorization: Bearer your_api_key" \ -F "file=@executive_templates.csv" \ https://your-instance.pentestpad.com/api/v1/templates/executive/import-csvGet Field Mapping Information
Section titled “Get Field Mapping Information”# Vulnerability templates field mappingcurl -H "Authorization: Bearer your_api_key" \ https://your-instance.pentestpad.com/api/v1/templates/vulnerabilities/csv/field-mapping
# Executive summary templates field mappingcurl -H "Authorization: Bearer your_api_key" \ https://your-instance.pentestpad.com/api/v1/templates/executive/csv/field-mappingJavaScript Example with Error Handling
Section titled “JavaScript Example with Error Handling”// Import vulnerability templates with flexible CSVconst formData = new FormData();formData.append('file', csvFile);
try { const importResult = await fetch('/api/v1/templates/vulnerabilities/import-csv', { method: 'POST', headers: { 'Authorization': 'Bearer your_api_key' }, body: formData }).then(r => r.json());
console.log(`✅ Imported ${importResult.data.success_count} templates`);
if (importResult.data.error_count > 0) { console.log(`⚠️ ${importResult.data.error_count} errors occurred:`); importResult.data.errors.forEach(error => { console.log(`Row ${error.row}: ${error.message}`); }); }
// Show successfully imported templates importResult.data.imported_templates.forEach(template => { console.log(`✓ Row ${template.row}: ${template.title}`); });
} catch (error) { console.error('Import failed:', error);}Response Examples
Section titled “Response Examples”Successful Import:
{ "success": true, "message": "CSV import completed. 2 vulnerability templates imported, 0 errors.", "data": { "success_count": 2, "error_count": 0, "errors": [], "imported_templates": [ { "row": 2, "uuid": "123e4567-e89b-12d3-a456-426614174000", "title": "SQL Injection Template" }, { "row": 3, "uuid": "987fcdeb-51a2-43d7-8765-987654321000", "title": "XSS Template" } ] }}Import with Errors:
{ "success": true, "message": "CSV import completed. 1 vulnerability templates imported, 1 errors.", "data": { "success_count": 1, "error_count": 1, "errors": [ { "row": 3, "message": "Invalid impact value. Must be one of: Informational, Low, Medium, High, Critical", "data": ["XSS Template", "Description", "Extreme", ...] } ], "imported_templates": [ { "row": 2, "uuid": "123e4567-e89b-12d3-a456-426614174000", "title": "SQL Injection Template" } ] }}Template Usage
Section titled “Template Usage”Templates created via this API can be used to:
- Create Findings - Use vulnerability templates to quickly create findings in projects
- Generate Reports - Use executive summary templates in report generation
- Standardize Process - Ensure consistency across different projects and team members