urlscan.io Result API Reference v1
Last updated: 2021-01-26
The Result API allows retrieving the metadata generated by each scan. The metadata is a JSON object with different top-level keys. Some of the information in the object is redundant and only repeated for convenience. The best way to explore the available data in the Result API is to perform a scan and look at its API output.
Result API Fields
The Result API returns a JSON object for each scan which has the following top-level keys:
- task
- Information about the submission: Time, method, options, links to screenshot/DOM
- page
- High-level information about the page: Geolocation, IP, PTR
- lists
- Lists of domains, IPs, URLs, ASNs, servers, hashes
- data
- All of the requests/responses, links, cookies, messages
- meta
- Processor output: ASN, GeoIP, AdBlock, Google Safe Browsing
- stats
- Computed stats (by type, protocol, IP, etc.)
- verdicts
- Verdicts about malicious content, with subkeys urlscan, engines, community.
You will notice that some fields are purely derivative (like the stats and lists) and made for easy consumption while other fields carry the raw data such as the "data" and "task" fields. The following is not a comprehensive list of all fields and sub-keys but should give you a good idea about where to look for what piece of information.
| Field Name | Type | Notes / Possible Values |
|---|---|---|
| task.uuid | UUIDv4 | The unique ID of the scan |
| task.time | ISO-8601 timestamp | Time the scan was created |
| task.url | URL (String) | The URL that was tasked |
| task.visibility | String | Visibility of the task |
| task.method | String | The method of how the URL was tasked (api or manual or automatic) |
| task.tags | [String] | User-supplied tags submitted during submission |
| task.options | Object | Options supplied to the scan (not standardised yet) |
| page.url | URL (String) | The URL of the "primary request", i.e. the HTML document loaded last after all redirects |
| page.domain | String | Hostname from page.url |
| page.ip | IPv4 / IPv6 | IP contacted for the primary request |
| page.ptr | IPv4 / IPv6 | DNS PTR record for the primary IP |
| page.country | String | GeoIP Country Information about the IP contacted for the primary request |
| page.city | String | GeoIP City Information about the IP contacted for the primary request |
| page.server | String | HTTP "Server" header of the primary request response |
| page.asn | String | AS (Autonomous System) number of the primary IP |
| page.asnname | String | AS (Autonomous System) name of the primary IP |
| data.requests | [Object] | Individual HTTP transactions during page navigation (+ metadata) |
| data.cookies | [Object] | Cookies set by the page with associated metadata |
| data.console | [Object] | Console messages during page navigation |
| data.links | [Object] | Links and link text contained on the fully loaded page |
| data.timing | Object | Timing entries for various lifecycle events |
| data.globals | [Object] | JavaScript non-standard global variable names and types on the fully loaded page |
| meta.processors.geoip.data | [Object] | GeoIP annotation for every IP contacted during page navigation |
| meta.processors.asn.data | [Object] | IP ASN annotation for every IP contacted during page navigation |
| meta.processors.rdns.data | [Object] | DNS PTR records for every hostname contacted during page navigation |
| meta.processors.wappa.data | [Object] | Wappalyzer technology detection for fully loaded page |
| lists.ips | [IPv4/IPv6] | IPs contacted |
| lists.countries | [ISO-3166] | GeoIP country of IPs contacted |
| lists.ips | [IPv4/IPv6] | IPs contacted |
| lists.asns | [Integer] | AS Numbers contacted |
| lists.domains | [String] | Hostnames contacted |
| lists.server | [String] | Unique HTTP "Server" headers of responses |
| lists.urls | [URL] | URLs requested |
| lists.linkDomains | [String] | Unique hostnames of links |
| lists.certificates | [Object] | TLS Certificates of responses |
| lists.hashes | [String] | SHA256s hashes of HTTP response bodies |
| verdicts.urlscan.score | Integer | Maliciousness score (0-100) |
| verdicts.urlscan.categories | [String] | Maliciousness categories (e.g. "phishing") |
| verdicts.urlscan.brands | [Object] | Brand detections |
| verdicts.urlscan.brands[].key | String | Brand key |
| verdicts.urlscan.brands[].name | String | Brand name |
| verdicts.urlscan.brands[].country | [String] | Brand countries (ISO-3166) |
| verdicts.urlscan.brands[].vertical | [String] | Brand industry verticals |