Scoped Blackbox Assessments and Retests Now Available via Takumi API
Takumi's blackbox assessment now supports scoped assessments and retests via the Takumi API. Previously, these capabilities were only available through the web console.
- Scoped assessment: Crawl the target application first, then select specific features and perspectives to assess
- Retest: Re-run assessments targeting feature–perspective pairs where vulnerabilities were found in previous results
To support these workflows, we've made the following additions to the blackbox assessment API:
- A new crawl workflow (
blackbox-crawl) that discovers features in the target application without performing any assessment - New scoping options for the assessment workflow (
blackbox-assessment) that let you specify which features and perspectives to assess
Scoped Assessment
You can dispatch a scoped assessment in two steps:
- Dispatch the crawl workflow to discover features in the target application
- Select the features and perspectives you want to assess, then dispatch the assessment workflow
This is useful when you want to focus on high-priority areas or only assess features that were recently updated.
Dispatch the Crawl Workflow
Dispatch a crawl workflow as follows:
const { workflow_run_id: crawl_workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-crawl/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "english",
target_urls: ["https://app.example/"],
},
notification: { webhook_endpoint_ids: [WEBHOOK_ID] },
}),
},
).then((r) => r.json());
Select Features and Dispatch the Assessment
Once the crawl completes, retrieve the discovered features. They are available as an artifact named features.
const featuresData = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-crawl/get-artifact-download-url`,
{
method: "POST",
headers,
body: JSON.stringify({
workflow_run_id: crawl_workflow_run_id,
artifact_name: "features",
}),
},
)
.then((r) => r.json())
.then(({ url }) => fetch(url))
.then((r) => r.json());
for (const feature of featuresData.features) {
console.log("feature name:", feature.name); // => "authentication", "user_settings", "product_catalog", ...
console.log("feature description:", feature.description);
}
Choose the feature names (feature.name) and perspectives you want to assess, then dispatch the assessment workflow with the crawl workflow run's ID:
const { workflow_run_id: assessment_workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "japanese",
target_urls: ["https://app.example/"],
// Reuse features discovered by the crawl workflow
resume: {
kind: "assess_crawled_features",
assess_crawled_features: {
workflow_id: "blackbox-crawl",
workflow_run_id: crawl_workflow_run_id,
},
},
// Specify which feature–perspective pairs to assess
pairs: [
{ feature_name: "authentication", perspective: "Injection" },
{ feature_name: "user_settings", perspective: "Authorization" },
{ feature_name: "product_catalog", perspective: "XSS" },
],
},
}),
},
).then((r) => r.json());
Retest
Blackbox assessment results include information about which feature and perspective each vulnerability was found in. After fixing a vulnerability, you can retest only the relevant feature–perspective pair instead of dispatching a full assessment.
First, retrieve the findings from a completed assessment by downloading the findings artifact:
const findingsData = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/get-artifact-download-url`,
{
method: "POST",
headers,
body: JSON.stringify({
workflow_run_id: assessment_workflow_run_id,
artifact_name: "findings",
}),
},
)
.then((r) => r.json())
.then(({ url }) => fetch(url))
.then((r) => r.json());
for (const finding of findingsData.findings) {
console.log("title:", finding.title);
console.log("feature:", finding.feature_name); // => "authentication", "user_settings", ...
console.log("perspective:", finding.perspective); // => "Injection", "Authorization", ...
console.log("markdown description:", finding.description);
}
To retest after fixing a vulnerability, specify the feature name (finding.feature_name) and perspective (finding.perspective) from the findings. You also need to provide the previous assessment's workflow run ID so that the feature list can be reused.
const { workflow_run_id: assessment_workflow_run_id } = await fetch(
`${TAKUMI_API}/v1/o/${TAKUMI_ORG}/workflows/blackbox-assessment/dispatch`,
{
method: "POST",
headers,
body: JSON.stringify({
input: {
language: "japanese",
target_urls: ["https://app.example/"],
// Reuse the feature list from the previous assessment
resume: {
kind: "assess_crawled_features",
assess_crawled_features: {
workflow_id: "blackbox-assessment",
workflow_run_id: "TWR...", // workflow_run_id of the previous assessment
},
},
// Specify which feature–perspective pairs to retest
pairs: [{ feature_name: "authentication", perspective: "Injection" }],
},
}),
},
).then((r) => r.json());
Limitations
Scoped assessments and retests are only available for crawls and assessments dispatched via the Takumi API. Results from assessments run through the web console cannot be used with the API, because the Takumi API and the web console's assessment feature manage their data independently. For details, see Relationship with the Web Console's "Assessment" Feature in the API user guide.
Getting Started
See the API documentation for full details.