Introduction into Wifi Pineapple API

After short time you might come to the idea to control your Wifi Pineapple via terminal only. Luckily the developers provided an API. There is already a Python wrapper available. But why not easily using curl and jq?


Learn how to setup and use (via curl) the Wifi Pineapple API.


jq installed (latest)


If not done already, you need to create a API token. To do so, open “Advanced” section – insert a token name and press button “Generate”.

Wifi Pineapple generate API token

The curl commands can be very long and unhandy. To make it a little easier to use, you should save and use the very long token (and header) as a variables ($TOKEN and $HEADER).

# create token variable
$ TOKEN="458aef505b17d0e954f95419c8da0df1047529708787bb04b15362bc3ecaa6e19e22d8bf2378293275c0e9ce6af62ef0e00691ec24aaa7309e6b9923067177af"

$ HEADER='-H "Content-type: application/json"'

# create a first simple nothification
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my first notification", "apiToken": "'$TOKEN'"}'

As the Wifi Pineapple use an well known prefix we cannot use jq directly! So we need to remove the prefix from our output. Now create a new variable and pipe the output through sed. In my case the following characters are used as response prefix “)]}’,“.

# create prefix variable
$ PREF=")]}',"

# create a second simple nothification (incl. sed and jq)
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my second notification", "apiToken": "'$TOKEN'"}' | sed -e "s/^$PREF//" | jq .

If everything was working well, the terminal output will be pretty-printed (via jq) and you should be able to see both notifications (Browser UI).

Wifi Pineapple notifications via API

API examples

The online API documentation is very good described. However, to give you a better start, a few examples are shown below.

# get current version of Wifi Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Advanced", "action": "getCurrentVersion", "apiToken": "'$TOKEN'"}' | sed -e "s/^$PREF//" | jq .

# get current time zone of Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Configuration", "action": "getCurrentTimeZone", "apiToken": "'$TOKEN'"}' | sed -e "s/^$PREF//" | jq .

# check available module storages
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "checkDestination", "apiToken": "'$TOKEN'"}' | sed -e "s/^$PREF//" | jq .

# get installed modules
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "getInstalledModules", "apiToken": "'$TOKEN'"}' | sed -e "s/^$PREF//" | jq .

I think you’ve got it. In similar way you can use the API for “Recon”, “Logging”, “Networking” and so on.

CURL visualization via httpstat

CURL is awesome … but sometimes the feature for visualization of statistics is missing. Exactly here helps httpstat as an wrapper.

httpstat is available for different languages:

Prepare project

Since I am a Python lover I will also work with my favorite language provided by Xiao Meng. It’s a single file with no dependencies and compatible to Python 2.7 and 3.

# create project folder
$ mkdir -p ~/Projects/httpstat && cd ~/Projects/httpstat

# download python script
$ curl -C - -O

# change file permission
$ chmod u+x

Usage examples

# show help
$ python --help

# show simple GET statistics
$ python -k

# show html body (truncated)
$ export HTTPSTAT_SHOW_BODY=true
$ python -k

# show download and upload speed
$ python -k

Note: httpstat has a bunch of environment variables, please use help!

The power of cURL for software tester

One of my favorite language for testing is cURL. As soon as I have to do with RESTful applications or simple HTTP, it’s my first choice. Here I show only a small selection of cURL options.

Basic examples:

Basic HTTP Get request

$ curl http://example.tld


# Basic unix output redirection
$ curl http://example.tld > index.html

# Filename provided by command line
$ curl -o byname.html http://example.tld

# Filename provided by URL
$ curl -O http://example.tld/lorem/ipsum.html

# Multiple files
$ curl -O http://example.tld/lorem/ipsum.html -O http://example.tld/dolor/sit.html

Follow redirects

$ curl -L http://example.tld

HTTP referer

$ curl -e http://example.tld

Resumed transfer offset (continue download)

$ curl -C -O http://example.tld/lorem/ipsum.html

Show response header

$ curl -I http://example.tld

Change request method

# default is GET
$ curl http://example.tld

# force GET
$ curl -G http://example.tld

$ curl -X POST http://example.tld
$ curl -X PUT http://example.tld
$ curl -X DELETE http://example.tld

Set request headers

# JSON content type
$ curl -H "Content-Type: application/json" http://example.tld

# Accept-Language
$ curl -H "Accept-Language: de-DE" http://example.tld

Advanced examples:

Send a JSON request

$ curl -X PUT -H 'Content-Type: application/json' -d '{"firstName":"Max", "lastName":"Muster"}' http://example.tld

Use a file with JSON content

$ curl -X PUT -H 'Content-Type: application/json' -d @myfile.json http://example.tld

Specify HTTP multipart POST data (JSON and image)

$ curl -X POST \
-H 'Content-Type: multipart/form-data' \
-F "userData=@myfile.json;type=application/json" \
-F profilePicture=@image.jpg \

Write output (show status and time total)

# Time total
$ curl -o /dev/null -s -w %{time_total}\\n  http://example.tld

# Status code and time total
$ curl -o /dev/null -s -w %{http_code}:%{time_total}\\n  http://example.tld

Simple server authentication

$ curl -u username:password http://example.tld


# FTP (root folder)
$ curl ftp://username:password@example.tld

# FTP (specific folder)
$ curl -u username:password ftp://example.tld/textfiles/

# FTP upload (specific folder)
$ curl -T myfile.txt -u username:password ftp://example.tld/textfiles/myfile.txt

# FTP delete (root folder)
$ curl -X 'DELE myfile.txt' -u username:password ftp://example.tld

Ignore SSL certificate error

$ curl -k https://example.tld

For more information see help and man pages!!!!