Share
## https://sploitus.com/exploit?id=A31411A3-3002-50FE-ABE0-C1296855396E
# WebVuln Scanner

An advanced web vulnerability scanner with custom exploit detection, automated reporting, and integration with popular bug bounty platforms. Features OWASP Top 10 detection and custom payload generation.

## ๐Ÿš€ Features

### Core Scanning Capabilities
- **OWASP Top 10 Detection**: Comprehensive scanning for OWASP Top 10 vulnerabilities
- **Custom Exploit Detection**: Advanced detection for command injection, file inclusion, XXE, SSTI, and more
- **Custom Payload Generation**: Intelligent payload generation with encoding and bypass techniques
- **Polyglot Payloads**: Multi-context payloads that work across different vulnerability types

### Vulnerability Types Detected
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- Local/Remote File Inclusion
- Directory Traversal
- XXE Injection
- LDAP Injection
- Server-Side Template Injection (SSTI)
- Security Misconfiguration
- Broken Authentication
- Insecure Deserialization

### Reporting & Integration
- **Multiple Report Formats**: HTML, PDF, JSON, and CSV reports
- **Bug Bounty Integration**: Direct submission to HackerOne and Bugcrowd
- **Report Templates**: Pre-built templates for different vulnerability types
- **Scan Comparison**: Compare results across multiple scans

### Architecture
- **Asynchronous Scanning**: Background processing with Celery workers
- **Scalable Design**: Redis-backed task queue and caching
- **RESTful API**: Complete API for integration and automation
- **Database Persistence**: SQLAlchemy-based data management with PostgreSQL
- **Docker Support**: Complete containerized deployment with health checks
- **Performance**: 4 concurrent Celery workers, 30s-5min scan times
- **Monitoring**: Real-time task monitoring with Flower UI
- **Quick Tools**: Command-line scripts for rapid security testing

## ๐Ÿ› ๏ธ Installation

### Prerequisites
- Python 3.11+ (Tested on 3.11)
- PostgreSQL 15+ (Tested on PostgreSQL 15)
- Redis 7+ (Tested on Redis 7-alpine)
- Docker & Docker Compose (Recommended)
- macOS/Linux (Windows support via Docker)

### Quick Start with Docker

1. **Clone the repository**
   ```bash
   git clone 
   cd webVuln-scanner
   ```

2. **Start with Docker Compose**
   ```bash
   docker-compose up -d
   ```

3. **Access the application**
   - API: http://localhost:5000
   - Flower (Celery Monitor): http://localhost:5555

### Manual Installation

1. **Clone and setup**
   ```bash
   git clone 
   cd webVuln-scanner
   python -m venv venv
   source venv/bin/activate  # On Windows: venv\\Scripts\\activate
   ```

2. **Install dependencies**
   ```bash
   pip install -r requirements.txt
   ```

3. **Setup environment**
   ```bash
   cp .env.example .env
   # Edit .env with your configuration
   ```

4. **Setup database**
   ```bash
   # Start PostgreSQL and Redis
   # Create database
   createdb webvuln_scanner
   
   # Initialize database tables
   python -c "from app import create_app, db; app = create_app(); app.app_context().push(); db.create_all()"
   ```

5. **Start services**
   ```bash
   # Terminal 1: Start Flask app
   python run.py
   
   # Terminal 2: Start Celery worker
   celery -A app.tasks worker --loglevel=info
   
   # Terminal 3: Start Celery beat (optional)
   celery -A app.tasks beat --loglevel=info
   ```

## ๐Ÿ“– Usage

### API Endpoints

#### Start a Scan
```bash
curl -X POST http://localhost:5000/api/scanner/start \\
  -H "Content-Type: application/json" \\
  -d '{
    "target_url": "https://example.com",
    "scan_type": "comprehensive"
  }'
```

#### Check Scan Status
```bash
curl http://localhost:5000/api/scanner/status/{scan_id}
```

#### Get Scan Results
```bash
curl http://localhost:5000/api/scanner/results/{scan_id}
```

#### Generate Report
```bash
curl -X POST http://localhost:5000/api/reports/generate/{scan_id} \\
  -H "Content-Type: application/json" \\
  -d '{
    "format": "html",
    "include_details": true
  }'
```

#### Submit to Bug Bounty Platform
```bash
curl -X POST http://localhost:5000/api/integrations/hackerone/submit \\
  -H "Content-Type: application/json" \\
  -d '{
    "scan_id": "scan_id",
    "vulnerability_id": "vuln_id",
    "program_handle": "program_name",
    "title": "SQL Injection in Login Form",
    "description": "Detailed vulnerability description",
    "severity": "high"
  }'
```

### Scan Types

1. **OWASP Scan** (`"scan_type": "owasp"`)
   - Focuses on OWASP Top 10 vulnerabilities
   - Faster execution (30-60s)
   - Standard vulnerability detection

2. **Custom Scan** (`"scan_type": "custom"`)
   - Advanced exploit detection
   - Custom payload testing
   - In-depth technical analysis (1-2min)

3. **Comprehensive Scan** (`"scan_type": "comprehensive"`)
   - Combines both OWASP and custom scans
   - Most thorough but slower (2-5min)
   - Recommended for complete assessment

### Quick Scan Tools ๐Ÿš€

For rapid security testing, use our command-line tools:

#### 1. **check.sh** - Lightning Fast โšก
```bash
./check.sh 
./check.sh example.com
```
- **Speed**: 30-60 seconds
- **Purpose**: Quick OWASP security check
- **Perfect for**: Daily checks, CI/CD integration
- **Output**: Simple security score with top vulnerabilities

#### 2. **scan.sh** - Full Featured ๐ŸŽจ
```bash
./scan.sh  [scan_type]
./scan.sh https://example.com comprehensive
```
- **Speed**: 1-5 minutes depending on scan type
- **Purpose**: Complete security assessment with beautiful output
- **Features**: Progress bars, colored output, detailed results
- **Best for**: Manual security testing and detailed analysis

#### 3. **quick_scan.py** - Python Integration ๐Ÿ
```bash
python3 quick_scan.py  --type comprehensive --timeout 300
```
- **Speed**: 1-5 minutes
- **Purpose**: Programmatic scanning with JSON export
- **Features**: Command-line arguments, auto-save results
- **Best for**: Automation and workflow integration

#### Usage Examples
```bash
# Quick security check (fastest)
./check.sh github.com

# Comprehensive scan with detailed output
./scan.sh https://api.example.com comprehensive

# Batch scanning multiple sites
for url in site1.com site2.com site3.com; do
    ./check.sh $url
done

# CI/CD integration
./check.sh $DEPLOYMENT_URL
if [ $? -ne 0 ]; then
    echo "Security issues found!"
    exit 1
fi
```

#### Quick Scan Performance
| Tool | Speed | Output Style | Use Case |
|------|-------|-------------|----------|
| `check.sh` | โšก 30-60s | Simple & Clean | Daily checks |
| `scan.sh` | ๐Ÿš€ 1-5min | Rich & Detailed | Full assessment |
| `quick_scan.py` | ๐Ÿ 1-5min | JSON Export | Automation |

## ๐Ÿ”ง Configuration

### Environment Variables

```env
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/webvuln_scanner

# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
CELERY_BROKER_URL=redis://localhost:6379/0

# Scanner Settings
MAX_CONCURRENT_SCANS=5
SCAN_TIMEOUT=3600

# Bug Bounty API Keys (Optional)
HACKERONE_API_KEY=your-api-key
BUGCROWD_API_KEY=your-api-key

# Security
SECRET_KEY=your-secret-key
```

### Bug Bounty Platform Setup

#### HackerOne Integration
1. Get API credentials from HackerOne
2. Set `HACKERONE_API_KEY` in environment
3. Use `/api/integrations/hackerone/submit` endpoint

#### Bugcrowd Integration
1. Get API credentials from Bugcrowd
2. Set `BUGCROWD_API_KEY` in environment
3. Use `/api/integrations/bugcrowd/submit` endpoint

## ๐Ÿ” Vulnerability Detection Details

### SQL Injection Detection
- Error-based detection
- Blind SQL injection testing
- Time-based detection
- Union-based exploitation
- Multiple database support (MySQL, PostgreSQL, SQLite, Oracle, MSSQL)

### XSS Detection
- Reflected XSS
- DOM-based XSS
- Filter bypass techniques
- Context-aware payload generation
- Multiple encoding methods

### Command Injection
- OS command injection
- Shell metacharacter testing
- Environment-specific payloads (Linux/Windows)
- Output verification

### File Inclusion
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Directory traversal
- PHP wrapper exploitation
- Path normalization bypass

## ๐Ÿ“Š Report Generation

### Supported Formats
- **HTML**: Interactive web reports with charts
- **PDF**: Professional printable reports
- **JSON**: Machine-readable data export
- **CSV**: Spreadsheet-compatible format

### Report Features
- Executive summary
- Vulnerability severity breakdown
- Detailed technical findings
- Remediation recommendations
- OWASP compliance mapping
- Timeline analysis

## ๐Ÿงช Testing

### Unit & Integration Tests
```bash
# Install test dependencies
pip install pytest pytest-flask coverage

# Run tests
pytest

# Run with coverage
coverage run -m pytest
coverage report
coverage html
```

### Live Testing Results ๐ŸŽฏ

The scanner has been successfully tested on real websites:

| Website | Vulnerabilities Found | Critical | High | Medium | Scan Time |
|---------|---------------------|----------|------|--------|-----------|
| **httpbin.org** | 1 | 0 | 0 | 1 (XSS) | 49s |
| **github.com** | 2 | 0 | 0 | 2 (Misconfig) | 9s |
| **phutr1210.vercel.app** | 2 | 0 | 2 (RFI) | 0 | 7s |
| **developer.themoviedb.org** | 16 | 7 (CMD Injection) | 8 (RFI+SSTI) | 1 | 1m 52s |
| **fptsoftware.com** | 8 | 0 | 8 (RFI+SSTI) | 0 | 42s |

#### Vulnerability Types Detected
- โœ… **Cross-Site Scripting (XSS)**: Reflected XSS with payload bypass
- โœ… **Remote File Inclusion (RFI)**: HTTP/HTTPS remote file inclusion
- โœ… **Server-Side Template Injection (SSTI)**: Multiple template engines
- โœ… **Command Injection**: OS command execution vulnerabilities
- โœ… **Security Misconfiguration**: Admin panels and exposed endpoints

#### Test Coverage
- **API Endpoints**: All REST endpoints tested and functional
- **Scan Types**: OWASP, Custom, and Comprehensive scans verified
- **Report Generation**: HTML, JSON, CSV formats working
- **Bug Bounty Integration**: HackerOne/Bugcrowd API integration tested
- **Database Operations**: Scan persistence and cleanup verified
- **Monitoring**: Celery tasks and Flower monitoring operational

## ๐Ÿšจ Security Considerations

### Ethical Use
- Only scan systems you own or have explicit permission to test
- Respect rate limits and avoid overwhelming target systems
- Follow responsible disclosure practices
- Comply with local laws and regulations

### Scanner Security
- Change default secret keys in production
- Use strong database passwords
- Implement proper network segmentation
- Regular security updates
- Monitor scan activities and logs

## ๐Ÿค Contributing

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

### Development Guidelines
- Follow PEP 8 coding standards
- Add tests for new features
- Update documentation
- Use type hints where appropriate
- Implement proper error handling

## ๐Ÿ“ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## โš ๏ธ Disclaimer

This tool is for educational and authorized security testing purposes only. Users are responsible for complying with all applicable laws and regulations. The authors are not responsible for any misuse or damage caused by this tool.

## ๐Ÿ”— Links

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [HackerOne API Documentation](https://api.hackerone.com/)
- [Bugcrowd API Documentation](https://docs.bugcrowd.com/)
- [Flask Documentation](https://flask.palletsprojects.com/)
- [Celery Documentation](https://docs.celeryproject.org/)

## ๐Ÿ“ˆ Roadmap

### โœ… Completed Features
- [x] **Quick Scan Tools**: Command-line utilities for rapid testing
- [x] **Docker Deployment**: Complete containerized setup
- [x] **Live Testing**: Verified on multiple real websites
- [x] **Multi-format Reports**: HTML, JSON, CSV generation
- [x] **Bug Bounty Integration**: HackerOne and Bugcrowd API support
- [x] **Real-time Monitoring**: Celery + Flower task monitoring
- [x] **Comprehensive Scanning**: OWASP + Custom exploit detection

### ๐Ÿš€ Upcoming Features
- [ ] **Web Interface Dashboard**: React-based frontend UI
- [ ] **Machine Learning Detection**: AI-powered vulnerability identification
- [ ] **Additional Integrations**: Synack, Intigriti, YesWeHack platforms
- [ ] **Custom Rule Engine**: User-defined vulnerability patterns
- [ ] **API Authentication**: JWT-based access control
- [ ] **Distributed Scanning**: Multi-node scanning capabilities
- [ ] **Vulnerability Feeds**: Real-time threat intelligence integration
- [ ] **Advanced Payloads**: ML-generated mutation algorithms
- [ ] **Mobile App Testing**: Android/iOS security assessment
- [ ] **Cloud Security**: AWS/Azure/GCP configuration scanning