Rajasekharreddy-12/NETRA-webvuln-Scanner

# 🛡️ NETRA — AI-Based Web Vulnerability Scanner A professional, full-stack web vulnerability scanning platform powered by OWASP ZAP, with a modern React dashboard and Python Flask backend. ## ✨ Features - **Automated Crawling** — ZAP Spider discovers pages, forms, and endpoints - **Active Vulnerability Scanning** — Detects SQLi, XSS, CSRF, Open Redirect, and more - **Severity Classification** — Critical / High / Medium / Low / Informational - **Risk Scoring** — Grade-based risk assessment (A–F) - **Live Progress** — Real-time scan progress dashboard - **Scan History** — MongoDB-backed history with full details - **Export Reports** — Download PDF, JSON, or CSV reports - **URL Validation** — Blocks private/local network scanning ## 🏗️ Architecture User → React Dashboard (port 3000) ↓ Flask API (port 5000) ↓ OWASP ZAP Daemon (port 8080) ↓ MongoDB (port 27017) ## 📋 Requirements | Tool | Version | Purpose | |------------|----------|------------------------| | Python | 3.9+ | Backend runtime | | Node.js | 18+ | Frontend runtime | | MongoDB | 6.0+ | Scan data storage | | OWASP ZAP | 2.14+ | Scanning engine | ## 🚀 Quick Start (Single Command) bash run.sh This script automatically: 1. Starts MongoDB 2. Launches OWASP ZAP daemon 3. Installs and starts Flask backend 4. Installs and starts React frontend ## 🔧 Manual Setup ### 1. Install OWASP ZAP Download from: https://www.zaproxy.org/download/ **Linux/macOS:** # Extract and run ./zap.sh -daemon -port 8080 -config api.key=hho3e6g94etdom5dor855hf6fv **Windows:** zap.bat -daemon -port 8080 -config api.key=hho3e6g94etdom5dor855hf6fv Wait ~30 seconds for ZAP to fully start. ### 2. Start MongoDB # Default startup mongod --dbpath ./data/db ### 3. Backend Setup cd backend python3 -m venv venv source venv/bin/activate # Windows: venv\Scripts\activate pip install -r requirements.txt python app.py ### 4. Frontend Setup cd frontend npm install npm start Open **http://localhost:3000** ## ⚙️ Environment Variables Create a `.env` file in `backend/`: ZAP_HOST=http://localhost ZAP_PORT=8080 ZAP_API_KEY=hho3e6g94etdom5dor855hf6fv MONGO_URI=mongodb://localhost:27017/ MONGO_DB=netra_db PORT=5000 FLASK_DEBUG=false SPIDER_TIMEOUT=180 ACTIVE_SCAN_TIMEOUT=600 ## 📡 API Reference ### Start a Scan POST /api/scan Content-Type: application/json { "url": "https://example.com" } **Response:** { "scan_id": "65a1b2c3d4e5f6a7b8c9d0e1", "message": "Scan started.", "target_url": "https://example.com" } ### Get Scan Status GET /api/scan/{id} **Response:** { "id": "65a1b2c3d4e5f6a7b8c9d0e1", "target_url": "https://example.com", "status": "completed", "progress": 100, "phase": "completed", "risk": { "grade": "B", "raw_score": 18, "counts": { "Critical": 0, "High": 1, "Medium": 2, "Low": 3, "Informational": 5 } }, "vulnerabilities": [...], "urls_found": 24, "duration_secs": 187 } ### Get Scan History GET /api/history?limit=50 ### Delete a Scan DELETE /api/scan/{id} ### Download Report GET /api/scan/{id}/report/pdf GET /api/scan/{id}/report/json GET /api/scan/{id}/report/csv ### Health Check GET /api/health ## 🔒 Security Notes - **Private IP blocking** — The scanner refuses to scan `localhost`, `127.x.x.x`, `10.x.x.x`, `172.16.x.x`, `192.168.x.x` - **Rate limiting** — 60 requests/minute per IP; 10 scan starts/minute - **Input validation** — All URLs validated before scanning - **Educational use only** — Only scan targets you own or have explicit permission to test ## 📁 Project Structure NETRA/ ├── backend/ │ ├── app.py # Flask API server │ ├── scanner.py # Scan orchestration │ ├── zap_client.py # OWASP ZAP REST client │ ├── risk_calculator.py # Severity classification & scoring │ ├── url_validator.py # URL validation & private IP blocking │ ├── database.py # MongoDB CRUD operations │ ├── report_generator.py # PDF/JSON/CSV report generation │ └── requirements.txt ├── frontend/ │ ├── src/ │ │ ├── components/ │ │ │ ├── Navbar.jsx │ │ │ ├── ScanForm.jsx │ │ │ ├── VulnerabilityTable.jsx │ │ │ └── SeverityChart.jsx │ │ ├── pages/ │ │ │ ├── Dashboard.jsx │ │ │ ├── ScanDetails.jsx │ │ │ └── History.jsx │ │ └── services/api.js │ ├── package.json │ └── tailwind.config.js ├── run.sh └── README.md ## 🧪 Demo Targets (Safe to scan) These are intentionally vulnerable applications for testing: - `https://testphp.vulnweb.com` — PHP vulnerable app - `https://demo.testfire.net` — IBM AltoroMutual demo - `http://juice-shop.herokuapp.com` — OWASP Juice Shop ## 🐛 Troubleshooting | Issue | Solution | |-------|----------| | ZAP not connecting | Ensure ZAP is running: `curl http://localhost:8080` | | MongoDB connection failed | Run `mongod --dbpath ./data/db` | | Frontend blank page | Check `npm start` output; ensure port 3000 is free | | Scan stuck at 0% | Check ZAP API key matches `ZAP_API_KEY` env var | | PDF export fails | Run `pip install fpdf2` | ## 📄 License For educational and cybersecurity research purposes only.