AkashAswal5/web-vulnerability-scanner

# 🔒 Professional Web Vulnerability Scanner A **professional-grade** web vulnerability scanner designed to identify security weaknesses in web applications. Built with enterprise-level architecture, comprehensive logging, rate limiting, and modern security practices. ## ✨ Professional Features ### 🔐 **Advanced Security Scanning** - **SQL Injection Detection** - 18+ payload variants with error pattern matching - **Cross-Site Scripting (XSS)** - 14+ XSS payload testing with context analysis - **Security Headers Analysis** - Comprehensive header checking with risk scoring - **Port Scanning** - Multi-threaded port detection with service identification - **Vulnerability Risk Assessment** - Automatic risk level classification (Low/Medium/High/Critical) ### 🛡️ **Enterprise Security** - ✅ Rate limiting (200/day, 50/hour) - ✅ CSRF protection - ✅ Security headers (CSP, HSTS, X-Frame-Options, etc.) - ✅ Session management with secure cookies - ✅ Password strength validation - ✅ Input sanitization and validation - ✅ Comprehensive audit logging - ✅ Error handling and monitoring ### 📊 **Professional Architecture** - Modern MVC pattern with blueprints - Database ORM with SQLAlchemy - RESTful API design - Comprehensive logging system - Environment-based configuration - Modular and extensible codebase ### 👤 **User Management** - Secure registration with password hashing (PBKDF2-SHA256) - Session-based authentication - User dashboard with statistics - Scan history tracking - Learning resources library ## 🚀 Quick Start ### One-Command Installation git clone https://github.com/AkashAswal5/web-vulnerability-scanner.git cd web-vulnerability-scanner chmod +x setup.sh && ./setup.sh ./run.sh Visit **http://localhost:5000** 🎉 ## ⚠️ IMPORTANT: Python Version **Required**: Python 3.9 - 3.13 **❌ NOT Compatible**: Python 3.14+ (has breaking changes) **✅ Recommended**: Python 3.12 If you're using Python 3.14, see [PYTHON_VERSION_FIX.md](PYTHON_VERSION_FIX.md) for instructions. ## 📋 Detailed Installation ### Prerequisites - **Python 3.9, 3.10, 3.11, 3.12, or 3.13** (Python 3.12 recommended) - pip package manager - Virtual environment (recommended) ### Check Your Python Version python3 --version # Should show 3.9.x through 3.13.x # If 3.14+, see PYTHON_VERSION_FIX.md ### Step-by-Step Setup 1. **Clone the Repository** git clone https://github.com/AkashAswal5/web-vulnerability-scanner.git cd web-vulnerability-scanner 2. **Create Virtual Environment** python3 -m venv venv # Activate on macOS/Linux source venv/bin/activate # Activate on Windows venv\Scripts\activate 3. **Install Dependencies** pip install --upgrade pip pip install -r requirements.txt 4. **Configure Environment** cp .env.example .env # Edit .env with your settings nano .env # or use any text editor 5. **Run the Application** cd functionailty python app.py The application will be available at `http://localhost:5000` ## 🎯 Usage Guide ### First Time Setup 1. **Register Account** - Navigate to http://localhost:5000 - Click "Register" - Create username and strong password (min 8 chars, uppercase, lowercase, number, special char) - Submit registration 2. **Login** - Use your credentials to login - You'll be redirected to the dashboard ### Performing Scans #### SQL Injection Scan 1. Go to Dashboard → SQL Injection Scanner 2. Enter target URL (e.g., http://testphp.vulnweb.com/artists.php?artist=1) 3. Click "Scan" 4. Review detailed results with vulnerabilities found #### XSS Vulnerability Scan 1. Go to Dashboard → XSS Scanner 2. Enter target URL 3. Click "Scan" 4. Review XSS vulnerabilities with payload details #### Security Headers Analysis 1. Go to Dashboard → Header Scanner 2. Enter target URL (e.g., https://example.com) 3. Click "Scan" 4. Review missing/present security headers with recommendations #### Port Scanning 1. Go to Dashboard → Port Scanner 2. Enter target IP or hostname 3. Click "Scan" 4. Review open ports and services ## 📁 Project Structure web-vulnerability-scanner/ ├── functionailty/ # Main application │ ├── app.py # Main Flask application (Enhanced) │ ├── config.py # Configuration management │ ├── models.py # Database models │ ├── blueprints/ # Application blueprints │ │ ├── auth.py # Authentication │ │ └── scanner.py # Scanning routes │ ├── utils/ # Utility modules │ │ ├── security_scanner.py # Basic scanners │ │ ├── advanced_scanner.py # Advanced scanners │ │ └── validators.py # Input validation │ ├── templates/ # HTML templates │ │ ├── errors/ # Error pages (404, 500, 429) │ │ ├── auth/ # Auth templates │ │ └── scanner/ # Scanner templates │ ├── static/ # Static files (CSS, JS) │ └── logs/ # Application logs ├── requirements.txt # Python dependencies ├── .env.example # Environment template ├── .gitignore # Git ignore rules ├── setup.sh # Automated setup ├── run.sh # Run script └── README.md # This file ## ⚙️ Configuration ### Environment Variables (.env) # Flask Configuration FLASK_SECRET_KEY=your-super-secret-key-here FLASK_ENV=development # or production FLASK_HOST=0.0.0.0 FLASK_PORT=5000 # Database DATABASE_URI=sqlite:///scanner.db # Security SESSION_COOKIE_SECURE=False # True for HTTPS only RATELIMIT_ENABLED=True # Logging LOG_LEVEL=INFO LOG_FILE=logs/scanner.log ### Production Deployment For production environments: 1. Set `FLASK_ENV=production` 2. Change `FLASK_SECRET_KEY` to a strong random value 3. Enable `SESSION_COOKIE_SECURE=True` (requires HTTPS) 4. Use production-grade database (PostgreSQL, MySQL) 5. Set up reverse proxy (nginx, Apache) 6. Configure SSL/TLS certificates 7. Enable firewall and security groups 8. Set up monitoring and alerting ## 🧪 Testing ### Safe Testing Targets **ONLY scan systems you own or have permission to test!** Safe testing websites: - http://testphp.vulnweb.com/ - http://demo.testfire.net/ - https://httpbin.org/ Example commands: # SQL Injection Test URL: http://testphp.vulnweb.com/artists.php?artist=1 # Security Headers Test URL: https://example.com # Port Scan Test (localhost only) Target: 127.0.0.1 ## 📊 Features Breakdown | Feature | Status | Description | |---------|--------|-------------| | SQL Injection Scanner | ✅ | 18+ payloads, error detection | | XSS Scanner | ✅ | 14+ payloads, form analysis | | Security Headers | ✅ | 7 critical headers + scoring | | Port Scanner | ✅ | Multi-threaded, service detection | | Rate Limiting | ✅ | 200/day, 50/hour per IP | | Authentication | ✅ | Secure password hashing | | Audit Logging | ✅ | Comprehensive activity logs | | Error Handling | ✅ | Professional error pages | | Input Validation | ✅ | URL, IP, username, password | | Session Security | ✅ | Secure cookies, CSRF protection | ## 🔒 Security Best Practices This scanner implements: 1. **OWASP Top 10 Protection** - SQL Injection prevention - XSS protection - CSRF tokens - Secure headers - Authentication controls 2. **Secure Coding** - Parameterized queries - Input validation - Output encoding - Password hashing - Session management 3. **Infrastructure Security** - Rate limiting - Logging and monitoring - Error handling - Security headers - Cookie security ## ⚠️ Legal Disclaimer **IMPORTANT**: This tool is for **educational purposes** and **authorized security testing** ONLY. - ✅ Only scan systems you own - ✅ Get explicit written permission before scanning - ✅ Follow responsible disclosure practices - ✅ Comply with all laws and regulations - ❌ Never scan without authorization - ❌ Do not use for malicious purposes **Unauthorized scanning may be illegal** in your jurisdiction. The developers assume no liability for misuse. ## 🐛 Troubleshooting ### Common Issues **Issue**: `ModuleNotFoundError` # Solution source venv/bin/activate pip install -r requirements.txt **Issue**: Port 5000 already in use # Solution: Edit .env FLASK_PORT=5001 **Issue**: Database errors # Solution cd functionailty rm instance/scanner.db python app.py # Database will be recreated **Issue**: Permission denied # Solution chmod +x setup.sh run.sh ## 📚 Advanced Documentation - [Configuration Guide](docs/CONFIGURATION.md) - Detailed configuration options - [API Documentation](docs/API.md) - API endpoints and usage - [Architecture](docs/ARCHITECTURE.md) - System design and architecture - [Security Guide](docs/SECURITY.md) - Security implementation details ## 📝 Changelog See [CHANGELOG.md](CHANGELOG.md) for version history and updates. ## 👤 Author **Akash Aswal** - GitHub: [@AkashAswal5](https://github.com/AkashAswal5) - Project: [Web Vulnerability Scanner](https://github.com/AkashAswal5/web-vulnerability-scanner) ## 🙏 Acknowledgments - OWASP for security testing methodologies - Flask community for the excellent framework - Security researchers and educators worldwide ## 📄 License This project is for **educational purposes** only. **Made with ❤️ for Security Learning** Remember: **Use responsibly. Scan ethically. Stay legal.** 🔐