omarmohamedhassan24/Web_vulnerability_scanner

# Web Vulnerability Scanner The scanner is paired with a deliberately vulnerable Flask "target app" so every detection technique can be exercised in a safe, self-contained environment. ## What it detects | Module | OWASP 2021 | |---|---| | Cross-Site Scripting (reflected) | A03 — Injection | | SQL Injection (error-based) | A03 — Injection | | Missing security headers (CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy) | A05 — Security Misconfiguration | ## Installation python -m venv .venv .venv\Scripts\activate pip install -r requirements.txt ## Usage Start the deliberately vulnerable Flask app in one terminal: cd target_app python app.py It runs on `http://localhost:5000`. Run the scanner from another terminal: # Full scan python scanner.py --url http://localhost:5000 # Specific modules only python scanner.py --url http://localhost:5000 --modules xss sqli # Custom output and timing python scanner.py --url http://localhost:5000 --output reports/demo.html --timeout 10 --delay 0.3 Open the generated report: start reports\scan_report.html ### CLI flags | Flag | Default | Purpose | |---|---|---| | `--url` | (required) | Target URL. Must be `localhost`, `127.0.0.1`, or a whitelisted test domain. | | `--output` | `reports/scan_report.html` | HTML report path. JSON is written alongside with the same stem. | | `--timeout` | `5` | Per-request timeout in seconds. | | `--delay` | `0.0` | Seconds to sleep between requests (politeness for public targets). | | `--modules` | all | Subset of `headers`, `xss`, `sqli`. | ## Project layout scanner.py CLI entry point modules/ crawler.py BFS crawler — extracts URLs and forms headers.py Missing-security-headers check xss.py Reflected XSS scanner (threaded, context-aware) sqli.py Error-based SQL injection scanner (threaded) reporter.py HTML (Jinja2) + JSON report generation utils.py load_payloads, CVSS-lite scoring config.py Shared DELAY / TIMEOUT (set from CLI) payloads/ xss_payloads.txt sqli_payloads.txt reports/ report_template.html Jinja2 HTML template scan_report.html (generated) scan_report.json (generated) target_app/ app.py Deliberately vulnerable Flask app ## Tech stack - Python 3 - `requests` for HTTP - `beautifulsoup4` for HTML parsing - `jinja2` for HTML report rendering - `colorama` for CLI colours - `concurrent.futures.ThreadPoolExecutor` for parallel form scanning - `flask` for the bundled vulnerable target app ## Bonus features included - **Multithreading** — `scan_xss` and `scan_sqli` fan out across forms via `ThreadPoolExecutor`. - **CVSS-lite risk score** — every report includes an aggregate 0–10 severity score (`Critical=9, High=7, Medium=5, Low=3`, averaged across findings). ## Out of scope (deliberately not implemented) This submission focuses on the three modules above. The following are described in the project plan but are not built: - **Open redirects** (A01 — Broken Access Control) - **Directory traversal** (A01 — Broken Access Control) - **Sensitive-paths exposure probe** (A05 — Security Misconfiguration; bundled with the traversal module in the plan) The CLI's `--modules` flag therefore only exposes the modules that actually exist. ## Known limitations - **XSS detection** is reflection-context-aware (via `_payload_executes_in_html`) but not full-context-aware — it does not model attribute boundaries, JS-string contexts, or DOM sinks. False positives are minimised, not eliminated. - **SQLi detection** is error-based only. Frameworks that suppress raw exceptions (Spring Data, Django ORM, hardened Flask) will appear clean even when blind / time-based SQLi is present. - **The crawler does not execute JavaScript** — single-page apps will be under-explored. ## Ethical disclaimer This tool is built for educational purposes as part of a university cybersecurity course. - Only scan systems you own or have **explicit written permission** to test. - Scanning any system without permission is illegal in most countries. - The bundled Flask app exists only for practice. - The scanner includes a domain whitelist (`localhost`, `127.0.0.1`, `testphp.vulnweb.com`) and refuses to scan anything else.