kovid-reddy/WebScore-OWASP-Top-10-Security-Scanner
GitHub: kovid-reddy/WebScore-OWASP-Top-10-Security-Scanner
一款基于 OWASP Top 10 的全栈 Web 应用漏洞扫描器,自动检测安全漏洞、计算风险评分并提供修复指导。
Stars: 0 | Forks: 0
**分析 • 检测 • 评分 • 保护**
## 📖 概述 **WebScore** 是一款受 **OWASP Top 10** 启发而开发的全栈 Web 应用程序漏洞扫描器。 它能自动分析网站,识别安全漏洞,计算整体的**安全评分**,并提供详细的修复指导,以帮助开发者构建更安全的应用程序。 WebScore 采用可扩展的 **Turborepo monorepo 架构**,将前端、API 和扫描引擎分离为独立的服务,从而提升了可维护性与可扩展性。 ## 📸 仪表盘预览
WebScore 仪表盘展示了扫描配置、实时进度、漏洞检测结果以及整体安全评分。
## 🚀 为什么选择 WebScore? WebScore 不仅仅是一款漏洞扫描器。它将自动化漏洞检测、安全评分和修复指导结合在单一平台中,帮助开发者高效地识别并确定安全风险的优先级。 ### 核心亮点 - 🛡️ 受 OWASP Top 10 启发的漏洞检测 - 📊 动态安全评分系统 - ⚡ 后台异步扫描 - 🌐 自动 endpoint 爬取 - 📄 切实可行的修复建议 - 🏗️ 模块化 Turborepo 架构 |REST API calls| API[apps/apiFastify Backend] API -->|Saves Scan Results| DB[(PostgreSQL Database)] API -->|Pushes Jobs| Queue[BullMQ / Redis] Queue -->|Pulls Jobs| Worker[apps/api
Background Worker] Worker -->|Dynamic Import| Scanner[apps/scanner
Security Engine] Scanner -->|Probes / Crawls| Target[Target Site / API] ``` - **`apps/web`**: Next.js (React 19, Tailwind CSS v4, Recharts) frontend client. Allows starting scans, viewing progress, displaying results, showing score gauges, and exporting scan results as JSON. - **`apps/api`**: Fastify REST API and background task processor using **Prisma** (PostgreSQL) and **BullMQ** (Redis). Contains: - An API server (`src/server.ts`) for starting scans and fetching statuses. - A worker (`src/queue/scan.worker.ts`) to execute scans asynchronously. - **`apps/scanner`**: The core security engine. Crawls pages, extracts forms and endpoints, and executes security checkers against target endpoints. - **`packages/shared-types`**: Shared TypeScript types ensuring consistency between the frontend, backend, and security engine. ## 🔍 Security Engine 功能 The scanner runs in two phases: 1. **Site-wide Checks**: Executes once against the target's root URL. 2. **Endpoint-specific Checks**: Runs a localized crawl (up to 40 pages, max depth 3) extracting `a[href]` links, forms, and API endpoint references from JavaScript (`fetch`/`axios`). The scanner then runs the selected checks against all discovered endpoints in batches of 5. ### 检查 Registry ## 🔍 Security Checks Registry ### 🛡️ 认证 | Check ID | Level | Detection Strategy | | :--- | :---: | :--- | | `cookies` | 🌐 Site | Inspects cookies for missing **Secure**, **HttpOnly**, **SameSite** flags and validates security headers such as **HSTS**, **CSP**, and **X-Content-Type-Options**. | | `jwt` | 🌐 Site | Tests JWT implementations for weak secrets, **none** algorithm abuse, and signature verification bypasses. | | `csrf` | 🌐 Site | Detects missing CSRF tokens and insufficient protection for state-changing requests. | | `ssrf` | 🌐 Site | Checks whether server-side requests can be redirected to internal networks or cloud metadata endpoints. | ### 🔓 Broken Access Control | Check ID | Level | Detection Strategy | | :--- | :---: | :--- | | `cors` | 🌐 Site | Detects wildcard origins, origin reflection, and credentialed cross-origin requests. | | `forced-browsing` | 🌐 Site | Discovers hidden files, backups, Git directories, admin panels, and exposed resources. | | `http-method-abuse` | 🌐 Site | Tests support for unexpected HTTP methods such as **PUT**, **DELETE**, and **TRACE**. | | `idor` | 🎯 Endpoint | Manipulates predictable identifiers to detect Insecure Direct Object Reference vulnerabilities. | ### 💉 Injection | Check ID | Level | Detection Strategy | | :--- | :---: | :--- | | `sqli` | 🎯 Endpoint | Error-based • Boolean-blind • Time-based SQL Injection detection. | | `xss` | 🎯 Endpoint | Reflected • Stored • DOM-based Cross-Site Scripting detection. | | `ssti` | 🎯 Endpoint | Tests common template engines using standard SSTI payloads. | | `os-command` | 🎯 Endpoint | Attempts OS command execution using Linux and Windows payloads. | | `file-upload` | 🎯 Endpoint | Detects unrestricted file upload vulnerabilities and MIME bypasses. | | `xxe` | 🎯 Endpoint | Tests XML parsers for XXE, SSRF, and local file disclosure. |