AbdelrahmanGaafar-02/vulnerability-sql-scanner-project

# AI-Powered SQL Injection Scanner: Project Overview This document provides a comprehensive explanation of the core architecture, methodologies, and objectives of the AI-powered Dynamic SQL Injection Scanner project. ### 1. What is the Objective of this Project? The main objective of this project is to build an **intelligent, real-time, dynamic web vulnerability scanner** that specializes in detecting SQL Injections (SQLi). Traditional security scanners (like SQLMap) are becoming outdated because they rely on rigid, hardcoded rules (like searching the page for the exact phrase *"MySQL syntax error"*). Modern web application firewalls (WAFs) easily block these predictable attacks or hide the error messages. The goal of this project is to create a "smart" scanner that tests websites dynamically and uses Artificial Intelligence to reason like a human cybersecurity expert, detecting hidden vulnerabilities that traditional scanners miss. ### 2. What AI Model is used and why? The project currently utilizes **`gemma3:27b`** (with previous testing on `llama3.1:8b` and `llama3.2:3b`), running entirely locally via the Ollama framework. **Why use an LLM (Large Language Model) instead of traditional code?** Instead of using Regex or hardcoded rules, the LLM provides **Contextual Heuristic Inference**. When a payload is fired at a website, the website might not throw an obvious error. Instead, the page might simply take 5 seconds longer to load, or a login page might quietly redirect to an admin dashboard. We use models like `gemma3:27b` because they possess deep reasoning capabilities. The model can look at the website's response, understand the context of what happened, and logically deduce if the database logic was successfully bypassed, even if no explicit error was thrown. We run this locally to ensure complete privacy of the target data. ### 3. Why is a Dataset used in this project? While the AI model acts as the "Brain" to evaluate the damage, the dataset (`sqli_dataset.csv`) acts as the **"Ammunition"**. ### 4. How does the project detect vulnerabilities? The detection process follows a strict 4-step pipeline: 1. **Injection:** The scanner pulls a payload from the dataset, URL-encodes it, and injects it into the target website's URL parameter (e.g., `?id=`). 2. **Execution & Normalization:** It sends the HTTP GET request to the target server. When the server replies with an HTML page, the scanner uses `BeautifulSoup` to strip away all the noisy HTML tags, leaving only the raw visible text. 3. **Prompt Construction:** The scanner bundles the original payload, the HTTP status code, and the cleaned response text into a highly specific Prompt Template. 4. **LLM Inference:** This prompt is sent to the AI model. The AI acts as an analyst, reading the response to see if the database leaked information or behaved abnormally. It strictly outputs a classification of `VULNERABLE` or `SAFE`, alongside a brief human-readable explanation of *why* it made that decision. ### 5. How is the Accuracy of the AI Model measured? Because the scanner tests live websites, you cannot measure its accuracy by just looking at the CSV dataset. You must measure it against a known "Ground Truth." To do this, the project includes a controlled testing suite (`evaluate.py` and `dummy_target.py`): 1. **The Dummy Target:** A local web server is spun up with two specific pages. One page (`/vulnerable`) is intentionally coded terribly so it will always crash on a SQL payload. The other page (`/safe`) is highly secure and will always block the payload safely. 2. **The Experiment:** The `evaluate.py` script takes payloads from your dataset and fires them at *both* pages. Since we already know the correct answers (the vulnerable page *should* be flagged, the safe page *should not*), we can strictly grade the AI's answers. 3. **The Metrics:** Using professional Machine Learning math via `scikit-learn`, the script calculates: * **True Positives:** How many real attacks it successfully caught. * **False Positives (Hallucinations):** How many safe pages it got paranoid about and falsely flagged. * **Accuracy, Precision, Recall, and F1-Score:** The final mathematical percentages proving exactly how reliable the AI is at making the correct detection.