Iammythbuster/vulnscan

```markdown # vulnscan # Vulnerbility Scanner # VulnScan     ## 功能 VulnScan crawls a target web application and tests GET parameters, forms, headers, cookies, transport, and well-known paths for common vulnerabilities. It produces a single-page HTML report with severity breakdowns, OWASP mappings, evidence snippets, and remediation advice. ### 执行的检查 | Category | What it looks for | |---|---| | **Injection (SQLi)** | Error-based and boolean-diff responses on GET params | | **Injection (XSS)** | Reflected payloads in HTML context | | **Open Redirect** | Redirect-hint params accepting external URLs | | **Security Headers** | CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy | | **Cookie Security** | Missing `Secure` / `HttpOnly` / `SameSite` flags | | **Transport Security** | Plaintext HTTP, missing HSTS | | **CORS** | Wildcard origins, credential reflection, arbitrary-origin echo | | **Information Disclosure** | `Server` / `X-Powered-By` banners, stack traces, leaked API keys | | **Sensitive Files** | `/.env`, `/.git/config`, `/phpinfo.php`, `/server-status`, etc. | | **HTTP Methods** | Risky methods advertised via OPTIONS (PUT, DELETE, TRACE) | | **security.txt** | Informational check for RFC 9116 disclosure contact | ### 特性 - 🖥️ **Web UI** — paste a URL, hit scan, watch live progress - 🌓 **Background scanning** — non-blocking; phases and counters update in real time - 💾 **History** — every scan is saved and re-viewable; survives restart - 🎯 **OWASP Top 10 mapping** — every finding tagged with its 2021 category - 📊 **Dashboard report** — sidebar navigation, severity donuts, risk gauge, category bar chart, filterable findings table, expandable evidence cards - 🖨️ **Exportable** — browser print produces a clean PDF ## 截图 ## 快速开始 ``` # 1. 克隆并安装 git clone https://github.com/IamMythbuster/vulnscan.git cd vulnscan python -m venv .venv source .venv/bin/activate # Windows: .venv\Scripts\activate pip install -r requirements.txt # 2. 运行 Web UI python app.py # → 在 http://127.0.0.1:8000 打开 # 3. （可选）启动本地易受攻击的目标用于练习 python demo_target.py & # → 在 http://127.0.0.1:5055 运行 # 4. 在浏览器中打开 http://127.0.0.1:8000，粘贴 URL， # 勾选同意复选框，点击开始扫描。 ``` ### CLI 替代方案 If you don't want the web UI, the scanner also runs standalone: ``` python scanner.py http://127.0.0.1:5055 --out report.html python scanner.py https://your-site.example.com --max-pages 30 --out r.html ``` | Flag | Default | Description | |---|---|---| | `--out` | `report.html` | Output HTML path | | `--max-pages` | `15` | Crawl limit | | `--timeout` | `8` | Per-request timeout (seconds) | | `--no-verify` | off | Skip TLS certificate verification | ## 项目布局 ``` vulnscan/ ├── app.py # Flask web server ├── scanner.py # Crawler + vulnerability checks ├── report.py # HTML dashboard renderer ├── demo_target.py # Deliberately-vulnerable Flask app (practice target) ├── templates/ │ ├── base.html # Shared sidebar layout │ ├── index.html # Landing page: URL form + history │ └── scanning.html # Live progress page with polling ├── scans/ # Runtime: JSON + HTML per scan ├── requirements.txt ├── LICENSE # MIT └── README.md ``` ### Web 应用程序的工作原理 1. **`GET /`** renders `index.html` with the URL form and history table. 2. **`POST /scan`** validates input, generates a `scan_id`, spawns a daemon thread running `run_scan()`, and redirects to the progress page. 3. **`GET /scan/`** renders `scanning.html`, which polls `/api/scan//status` every ~1 second. 4. The **background thread** instantiates `Scanner(..., on_progress=callback)`. The callback writes live phase and counter updates into an in-memory dict, protected by a `threading.Lock`. 5. **On completion** the thread calls `render_report()` and writes `scans/.html` plus `scans/.json` to disk. The polling JS sees `status=done` and redirects the browser to `/scan//report`. 6. **History** — on every page load, `load_history()` globs `scans/*.json` and sorts by timestamp. ## ⚠️ 负责任的使用 This tool performs **active security testing**. Running it against a system you do not own or do not have explicit authorization to test is illegal under: - 🇺🇸 **United States** — Computer Fraud and Abuse Act (18 U.S.C. § 1030) - 🇬🇧 **United Kingdom** — Computer Misuse Act 1990 - 🇦🇺 **Australia** — Criminal Code Act 1995, Part 10.7 - 🇪🇺 **European Union** — Directive 2013/40/EU ...and equivalents in most other countries. **Permission must be in writing**, from someone with authority to grant it. Bug bounty programs (HackerOne, Bugcrowd, Intigriti) publish scoping rules — read them carefully before scanning. ### VulnScan 不是什么 - ❌ Not a substitute for a professional penetration test - ❌ Not a substitute for code review or threat modeling - ❌ Not capable of finding logic flaws, auth bypasses, or chained exploits - ❌ Not stealthy — requests are marked with a `VulnScan/0.x` user-agent For serious work, use dedicated tools: [OWASP ZAP](https://www.zaproxy.org/), [Burp Suite](https://portswigger.net/burp), [Nuclei](https://github.com/projectdiscovery/nuclei), [sqlmap](https://sqlmap.org/). ## 路线图 - [ ] Authenticated scanning (session cookie or login form) - [ ] POST body testing (currently GET-only for safety) - [ ] CSRF token presence check - [ ] JSON output for CI integration - [ ] Scheduled scans (daily/weekly) - [ ] Diff view between consecutive scans of the same target - [ ] Custom check templates (Nuclei-style YAML) ## 许可证 MIT — see [LICENSE](LICENSE). Built as an educational project. Contributions welcome; issues and PRs encouraged. ```

标签：Cookie安全, CORS, Flask, HTML报告, HTTP方法, iGraph, OWASP Top 10, Python, security.txt, SEO, Splunk, Web安全, Web漏洞扫描, XSS, 仪表盘, 传输安全, 信息泄露, 单页应用, 历史记录, 后台扫描, 安全头, 安全测试, 实时进度, 开放重定向, 攻击性安全, 敏感文件, 教育用途, 无后门, 漏洞情报, 蓝队分析, 逆向工具