vrajmodi4/Web-Vulnerability-Scanner

# 🛡️ Sentinel Sec - Web Vulnerability Scanner     A comprehensive and modern **Web Vulnerability Scanner** built with Python and Flask. Designed to proactively analyze web applications, this tool automatically crawls pages, evaluates server security configurations, and actively tests for common vulnerabilities such as **SQL Injection (SQLi)** and **Cross-Site Scripting (XSS)**. All scan results, user data, and analysis metrics are seamlessly logged into a locally hosted MongoDB database for structured reporting and auditing. ## ✨ Features - **🌐 Automated Web Crawling**: Recursively discovers internal links and extracts embedded HTML forms (both `GET` and `POST`) across target websites. - **🔍 Active Vulnerability Scanning**: - **SQL Injection (SQLi)**: Tests for boolean-based and error-based SQL injections in URL parameters and form inputs. - **Cross-Site Scripting (XSS)**: Evaluates URL query parameters for reflected XSS vulnerabilities. - **📊 Deep Target Analysis**: Assesses web server headers to ensure best practices like `HSTS`, `CSP`, `X-Frame-Options`, and `X-Content-Type-Options`. Detects frontend technologies (React, Vue, etc.) and server software. - **📈 Security Grading system**: Automatically generates an overall security grade (**A through F**) based on header enforcement and information disclosure. - **🛡️ RBAC & Authentication**: Secure user registration, password resets, asynchronous email notifications, and an administrative dashboard. - **🗃️ Persistent Auditing (`MongoDB`)**: Uses a multi-collection relational schema to track comprehensive test logs, user profiles, and specific test results. ## 💻 Tech Stack - **Backend**: Python (Flask) - **Database**: MongoDB (`pymongo`) - **Scraping / Analysis**: `BeautifulSoup4`, `requests` - **Security**: `werkzeug.security` (Password Hashing) - **Email Delivery**: `smtplib` ## ⚙️ Prerequisites Before you begin, ensure you have met the following requirements: - **Python 3.8** or higher installed. - **MongoDB Community Server** installed and actively running on `localhost:27017` (default port). ## 🚀 Installation & Setup 1. **Clone the repository** or navigate to the project root directory. 2. **Create a Virtual Environment (Recommended):** python -m venv venv # On Windows: venv\Scripts\activate # On macOS/Linux: source venv/bin/activate 3. **Install Dependencies:** pip install -r requirements.txt 4. **[Optional] Configure Async Emails:** To enable welcome emails upon user registration, open `app.py` and modify the `SENDER_EMAIL` and `SENDER_PASSWORD` default configurations in the `--- EMAIL CONFIGURATION ---` block with your actual SMTP credentials. 5. **Ensure MongoDB is Running:** Verify your local MongoDB instance is active. The application will connect directly to `"mongodb://localhost:27017/"`. ## 🎯 Usage 1. **Start the Application:** python app.py 2. **Launch the Dashboard:** Open your preferred web browser and navigate to: `http://127.0.0.1:5000` 3. **Run a Scan:** - Create a standard user account or login. - Provide a target web address (e.g., `http://testphp.vulnweb.com`). - Click **Scan**. - Wait for the target analysis, link crawling, and vulnerability tests to complete. 4. **View Database Logs:** You can inspect all completed scans via the built-in Mongo shell directly: mongosh > use scanner_db > db.tests.find().pretty() > db.test_results.find().pretty() ## 👑 Administrator Dashboard The application features a secure admin panel for complete platform visibility—allowing admins to wipe old logs, view registered agent profiles, and analyze platform-wide test frequency. To access the admin interface, navigate to `/admin_login` or click the admin portal link. - **Default Admin Email:** `admin@sentinel.com` - **Default Admin Password:** `admin` *(We highly recommend modifying these configurations in `app.py` for standard internal deployments).* ## 📂 Project Structure - `app.py` - Main Flask application routing, user session handling, and database integration. - `crawler.py` - Responsible for the recursive discovery logic of site links and HTML forms. - `analyzer.py` - Performs deep header evaluations and tech stack fingerprinting. - `sqli_test.py` - Payload delivery routines for identifying SQL Injections. - `xss_test.py` - Payload delivery routines for identifying Cross-Site Scripting. - `db.py` - MongoDB connection bindings. ## ⚠️ Legal Disclaimer **Sentinel Sec Web Vulnerability Scanner** was developed primarily for educational purposes, authorized security auditing, and ethical hacking contexts. **DO NOT** use this software to scan, test, or interact with web applications, servers, or platforms that you do not definitively own or have explicitly documented permission to investigate. The developers and contributors assume no liability and are not responsible for any misuse, damage, or legal consequences arising from the utilization of this tool.

标签：CSP, DOE合作, Flask, HSTS, MongoDB, Python, RBAC, SEO, Web安全, Web漏洞扫描, X-Content-Type-Options, X-Frame-Options, XSS, 前端技术栈, 加密, 反取证, 后端开发, 安全分级, 安全标准, 安全评估, 开源安全工具, 教育用途, 无后门, 漏洞情报, 漏洞扫描器, 自动化爬虫, 蓝队分析, 逆向工具, 逆向工程平台, 邮件通知