API reference
103 endpoints across 9 services. Every otter speaks JSON over HTTP on
loopback. Pass your API key as X-API-Key or
Authorization: Bearer <key>. Demo mode redacts
third-party scan output without disabling the endpoint.
Conventions
-
Bind: loopback by default. Edit
romp.json to expose
externally — but read the AUP first.
-
Auth:
X-API-Key header. Generate one with
romp api-key new.
-
Targets: most active probes refuse RFC1918 / loopback unless
ROMP_ALLOW_PRIVATE_TARGETS=1. Cloud-metadata IPs
(169.254.169.254) are blocked regardless.
-
Errors:
{ "error": "human-readable", "code": "MACHINE_READABLE" }
with HTTP 4xx / 5xx.
-
Async: long-running scans return
{ jobId }; poll
/api/jobs/:id.
Red Otter — :4000
| Method · Path |
Purpose |
GET /api/dns?target=... |
A/AAAA/MX/NS/TXT + DNSSEC. |
GET /api/ssl?host=... |
Cert chain, ciphers, expiry. |
GET /api/headers-analyze?url=... |
Security-header scoring. |
GET /api/http-inspect?url=... |
Status, redirects, server fingerprint. |
GET /api/ip-lookup?target=... |
Geo, ASN, reverse PTR. |
GET /api/ping?target=... |
RTT, packet loss. |
GET /api/traceroute?target=... |
Hop path. |
POST /api/portscan |
TCP top-1000. |
POST /api/subdomain |
Wordlist subdomain enum (wordlistFile or
wordlist array).
|
POST /api/subtakeover |
20 service-fingerprint takeover detection. |
GET /api/cve-check?target=... |
Server-version → curated CVE map. |
POST /api/wayback-urls |
CDX historical URL ingest. |
GET /api/local-net |
LAN discovery (gated). |
Blue Otter — :4600
| Method · Path |
Purpose |
POST /api/crawl |
Spider URL + form inventory. |
POST /api/form-scan |
Classify forms (login, search, upload, …). |
POST /api/cors-check |
CORS misconfig probe. |
POST /api/methods-check |
Allowed-method enumeration. |
POST /api/redirects-check |
Open-redirect probes. |
POST /api/info-disclosure |
.git / .env / source-map / backup-file leaks. |
POST /api/js-secrets |
JS bundle secret extraction (12 patterns). |
POST /api/graphql-probe |
GraphQL introspection + dangerous mutations flag. |
POST /api/ratelimit-test |
Burst N, detect throttle. |
Yellow Otter — :4300
Parameter / header fuzzing engines. Pair with Blue's crawl output.
Black Otter — :4200
| Method · Path |
Purpose |
POST /api/sqli-probe |
SQL injection across params. |
POST /api/xss-probe |
Reflected + stored XSS. |
POST /api/cmdi-probe |
Command-injection. |
POST /api/traversal-probe |
Path-traversal payloads. |
POST /api/dir-enum |
50K-entry directory enumeration. |
POST /api/cred-brute |
HTTP-basic / form-login brute. |
POST /api/jwt-inspect |
Decode + flag + HMAC-bruteforce. |
POST /api/header-injection |
Host / x-forwarded-* injection probes. |
POST /api/ssl-active |
Heartbleed / BEAST / POODLE / ROBOT. |
POST /api/ssti-probe |
Server-side template injection. Three-stage detection: arithmetic
confirmation (7×7 / 8×8 / 9×9), engine fingerprint (Jinja2, Twig,
Freemarker, Velocity, Mako, ERB, Smarty), structured finding via
alertBus.
|
POST /api/ssrf-probe |
Server-side request forgery. Track A: cloud-metadata canaries (AWS
/ GCP / Azure / Alibaba IMDS) plus loopback service-banner
detection (Tomcat / Jenkins / Spring / Elasticsearch / Redis),
baseline-diff suppression. Track B: time-based blind detection
against unreachable RFC1918. Param hints exposed for client-side
iteration.
|
White Otter — :4400
| Method · Path |
Purpose |
GET /api/alerts |
Open alerts across the pack. |
GET /api/alerts/:id |
Single finding detail. |
GET /api/alerts/:id/report |
HackerOne / Bugcrowd-format markdown. |
POST /api/alerts/:id/ack |
Mark acknowledged. |
POST /api/alerts/:id/note |
Add a note. |
Grey Otter — :4500
| Method · Path |
Purpose |
POST /api/full-audit |
Composite host audit. |
GET /api/os-info |
OS + kernel. |
GET /api/user-audit |
Sudoers / weak-shell / no-pass accounts. |
GET /api/ssh-audit |
sshd_config audit. |
GET /api/file-permissions |
SUID / world-writable. |
GET /api/service-audit |
Listening services. |
GET /api/cron-audit |
Cron job sanity. |
GET /api/package-audit |
Installed-pkg CVEs. |
GET /api/firewall-audit |
iptables / ufw rules. |
GET /api/sysctl-audit |
Kernel hardening. |
Green Otter — :4700
Runtime monitor. Posts to White's alert bus when state drifts.
Stateful — keeps a baseline file at
/var/lib/romp/green/baseline.json.
Orange Otter — :4800
| Method · Path |
Purpose |
POST /api/baseline |
Snapshot file hashes + perms. |
POST /api/verify |
Diff current state vs baseline. |
POST /api/backup |
AES-256-GCM encrypted tar. |
POST /api/restore |
Verify + restore from backup. |
Cyber Guard Dog — :4100
| Method · Path |
Purpose |
GET /api/status |
Pack health. |
POST /api/full-scan |
Run every otter, aggregate results. |
GET /api/full-report |
Full system report (markdown). |
POST /api/api-key |
Mint an API key. |
GET /api/license |
License + tier. |
Demo mode
Set demo.enabled: true in romp.json or
ROMP_DEMO_MODE=1 to wrap third-party scan responses and
replace target-identifying strings with [PROPRIETARY].
Counts and grades survive. Defensive otters (Grey, Green, Orange) are
never redacted because they target your own host.