reginaldbaraza-code/playwright-security-scanner

# Playwright Security Scanner 🔍 Automated security test suite built with pytest. Scans web applications for common security misconfigurations that most teams never write tests for — missing headers, insecure cookies, open redirects, form vulnerabilities, and information leakage. The idea: many security issues are really just **test cases nobody wrote**. Missing `X-Frame-Options`? That's a test. Session cookie without `HttpOnly`? That's a test. Stack trace in a 500 response? That's a test. This project turns OWASP best practices into automated tests that can run in CI. ## What It Checks | Scanner | What it looks for | Severity examples | |---------|------------------|-------------------| | **Headers** (`scanners/headers.py`) | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Flags unsafe CSP directives and server version disclosure. | Missing CSP = High, unsafe-eval = High | | **Cookies** (`scanners/cookies.py`) | Missing Secure/HttpOnly/SameSite flags on session cookies. Overly broad domain scope. SameSite=None without Secure. | Session cookie without HttpOnly = High | | **Redirects** (`scanners/redirects.py`) | External URLs in redirect parameters (next, redirect_url, goto, etc). Protocol-relative redirects. Cross-domain redirect detection. | Open redirect = Medium | | **Forms** (`scanners/forms.py`) | Missing CSRF tokens on POST forms. Form actions over HTTP. Password autocomplete. Sensitive data submitted via GET. | Missing CSRF = High | | **Info Leak** (`scanners/info_leak.py`) | Stack traces in error responses (Python, Java, .NET, PHP, Node). Exposed API keys, connection strings, secrets. Developer comments. Debug endpoints. | Exposed API key = High | ## How It Works The scanners don't depend on Playwright at runtime — they analyze HTTP response data (headers, body, cookies) passed in as plain Python objects. This means: - **Unit tests run without a browser** — fast, no dependencies, great for CI - **Playwright integration** is a thin layer on top — load a page, pass the response data to the scanners - Every finding includes severity, OWASP reference, CWE ID, evidence, and remediation steps pytest fixtures (mock data) │ └── Scanner logic (headers, cookies, forms, etc.) │ └── ScanResult with Finding objects │ └── Assertions in test cases ## Quick Start git clone https://github.com/reginaldbaraza-code/playwright-security-scanner.git cd playwright-security-scanner pip install -e ".[dev]" # Run all 44 tests pytest -v ## Using a Scanner Directly from scanners.headers import HeaderScanner scanner = HeaderScanner() result = scanner.scan( url="https://myapp.com", headers={ "Content-Security-Policy": "default-src 'self'; script-src 'unsafe-eval'", "Server": "nginx/1.18.0", # Missing: HSTS, X-Frame-Options, X-Content-Type-Options... }, ) for finding in result.findings: print(f"[{finding.severity.value}] {finding.title}") print(f" Remediation: {finding.remediation}") ## Project Structure playwright-security-scanner/ ├── scanners/ │ ├── models.py # Finding, Severity, ScanResult dataclasses │ ├── headers.py # 6 required headers + CSP quality + version disclosure │ ├── cookies.py # Secure, HttpOnly, SameSite, domain scope checks │ ├── redirects.py # Open redirect detection via URL parameter analysis │ ├── forms.py # CSRF tokens, HTTPS actions, autocomplete, GET method │ └── info_leak.py # Stack traces, secrets, debug endpoints, comments ├── tests/ │ ├── test_headers.py # 9 tests │ ├── test_cookies.py # 9 tests │ ├── test_redirects.py # 7 tests │ ├── test_forms.py # 8 tests │ └── test_info_leak.py # 11 tests └── pyproject.toml ## Tech Stack - **Python 3.11+** - **Playwright** — browser automation (for integration mode) - **Flask** — mock vulnerable app for scanner testing - **pytest** — 44 tests, all passing without a browser ## License MIT