Share
## https://sploitus.com/exploit?id=E5767E2D-8604-5165-B53A-FB3BE0295E82
# WebVulnScan

**A beginner-to-intermediate web application vulnerability scanner built for learning the OWASP Top 10.**

![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?logo=python&logoColor=white)
![License](https://img.shields.io/badge/License-MIT-green)
![OWASP](https://img.shields.io/badge/OWASP-Top%2010-orange)
![Docker](https://img.shields.io/badge/Docker-Supported-2496ED?logo=docker&logoColor=white)

WebVulnScan crawls a target website, authenticates if credentials are provided, and tests for common security misconfigurations and injection vulnerabilities using safe, non-destructive payloads. It produces structured JSON and styled HTML reports with a percentage-based security score, severity ratings, OWASP categorization, and remediation guidance.

> **Legal Disclaimer:** Only scan systems you own or have explicit written authorization to test. Unauthorized scanning is illegal in most jurisdictions. This tool is intended for educational purposes and authorized security assessments only.

---

## Table of Contents

- [Features](#features)
- [OWASP Top 10 Coverage](#owasp-top-10-coverage)
- [Quick Start](#quick-start)
- [Usage](#usage)
- [Authentication Scanning](#authentication-scanning)
- [Docker Setup](#docker-setup)
- [Project Structure](#project-structure)
- [How It Works](#how-it-works)
- [Sample Report](#sample-report)
- [Tool Comparison](#tool-comparison)
- [Extending the Scanner](#extending-the-scanner)
- [Learning Outcomes](#learning-outcomes)

---

## Features

| Module | Description |
|--------|-------------|
| **URL Crawler** | Multi-threaded BFS crawler with form extraction, parameter discovery, and rate limiting |
| **Header Analyzer** | Detects missing security headers (CSP, HSTS, X-Frame-Options), server version disclosure, outdated software, insecure cookies, and CORS misconfigurations |
| **Directory Scanner** | Probes 60+ common paths for open directory listings, exposed config files (`.env`, `.git`), admin panels, backups, and debug endpoints |
| **SQLi Scanner** | Tests URL parameters and form inputs for error-based and boolean-based blind SQL injection using safe payloads |
| **XSS Scanner** | Injects canary payloads to detect reflected XSS across multiple contexts -- HTML body, attributes, inline JS, and SVG handlers |
| **Tech Fingerprinter** | Identifies web servers, frameworks, CMS platforms, JS libraries, and analytics tools from HTTP headers, cookies, and HTML signatures |
| **Auth Scanner** | Authenticates via form login, cookies, or HTTP headers. Detects session fixation, weak tokens, broken access control, and auth bypass |
| **ZAP Integration** | Connects to the OWASP ZAP REST API for automated spider crawling, active scanning, and alert retrieval |
| **Report Generator** | Outputs JSON and styled HTML reports with a percentage-based security score, severity ratings, OWASP categories, and remediation advice |

---

## OWASP Top 10 Coverage

| OWASP Category | What's Detected |
|----------------|-----------------|
| **A01 -- Broken Access Control** | Open directories, exposed admin panels, sensitive files, auth bypass on protected pages, missing access controls |
| **A02 -- Cryptographic Failures** | Missing HSTS, cookies without `Secure` flag |
| **A03 -- Injection** | SQL injection (error-based + boolean blind), reflected XSS, server-side template injection (SSTI) |
| **A05 -- Security Misconfiguration** | Missing security headers, server version disclosure, wildcard CORS, directory listing enabled |
| **A06 -- Vulnerable Components** | Outdated Apache, Nginx, IIS, and OpenSSL version detection against known CVEs |
| **A07 -- Auth Failures** | Session fixation, weak/low-entropy session tokens, broken access control between authenticated and unauthenticated users |

---

## Quick Start

### Prerequisites

- Python 3.8+
- pip

### Installation

```bash
git clone https://github.com/yourusername/webvulnscan.git
cd webvulnscan
pip install -r requirements.txt
```

### Run Against the Included Test App

The project includes an intentionally vulnerable Flask application for safe testing.

```bash
# Install Flask for the test app
pip install flask

# Terminal 1 -- Start the vulnerable test app
python test_app/test_app.py

# Terminal 2 -- Run the scanner
python scanner.py http://localhost:5000 --depth 2 --threads 5
```

Open the generated HTML report in `./reports/` to view your results.

---

## Usage

```
python scanner.py  [OPTIONS]
```

### Options

| Flag | Default | Description |
|------|---------|-------------|
| `-d`, `--depth` | `2` | Maximum crawl depth |
| `-p`, `--max-pages` | `50` | Maximum pages to crawl |
| `-t`, `--threads` | `5` | Number of concurrent threads |
| `-r`, `--rate-limit` | `10` | Maximum requests per second |
| `-o`, `--output` | `reports` | Output directory for reports |
| `--zap` | off | Enable OWASP ZAP integration |
| `--zap-api-key` | `""` | ZAP API key |
| `--zap-proxy` | `http://127.0.0.1:8080` | ZAP proxy address |

### Examples

```bash
# Basic scan
python scanner.py https://example.com

# Deep scan with high concurrency
python scanner.py https://example.com -d 3 -p 100 -t 10

# Gentle scan (use on slower or rate-limited targets)
python scanner.py https://example.com -r 2 -t 2

# Scan with OWASP ZAP integration
python scanner.py https://example.com --zap --zap-api-key mykey

# Output to a custom directory
python scanner.py https://example.com -o ./my-reports
```

---

## Authentication Scanning

The scanner can log in before scanning so it can test pages behind login walls and detect auth-related vulnerabilities.

### Authentication Options

| Flag | Description |
|------|-------------|
| `--auth-method` | Authentication method: `form` (default), `basic`, or `bearer` |
| `--auth-user` | Username for authentication |
| `--auth-pass` | Password (or token for bearer auth) |
| `--auth-login-url` | Login page URL (auto-detected if not set) |
| `--auth-user-field` | Username form field name (auto-detected if not set) |
| `--auth-pass-field` | Password form field name (auto-detected if not set) |
| `--auth-cookie` | Auth cookies as `name=value` pairs |

### Examples

```bash
# Form-based login (auto-detects login page and field names)
python scanner.py http://localhost:5000 --auth-user admin --auth-pass password123

# Form login with explicit URL and fields
python scanner.py http://localhost:5000 \
  --auth-user admin --auth-pass password123 \
  --auth-login-url /login \
  --auth-user-field username \
  --auth-pass-field password

# Cookie-based auth (paste session tokens from your browser)
python scanner.py http://localhost:5000 --auth-cookie session_id=abc123 csrf_token=xyz789

# HTTP Basic auth
python scanner.py http://localhost:5000 --auth-method basic --auth-user admin --auth-pass secret

# Bearer token auth
python scanner.py http://localhost:5000 --auth-method bearer --auth-pass eyJhbGciOiJIUzI1NiJ9...
```

### What Auth Scanning Detects

When credentials are provided, the scanner:

1. **Logs in** and shares the authenticated session across all scan modules (crawler, SQLi, XSS)
2. **Crawls pages behind the login wall** that unauthenticated scans would miss
3. **Checks for session fixation** -- whether session cookies are regenerated after login
4. **Analyzes session token quality** -- flags short tokens or low-entropy values
5. **Tests broken access control** -- compares authenticated vs unauthenticated responses
6. **Detects auth bypass** -- checks if protected-looking URLs (`/admin`, `/settings`, `/dashboard`) are accessible without login

### Test It

The included test app has valid credentials `admin` / `password123` and intentionally vulnerable routes:

```bash
# Terminal 1
python test_app/test_app.py

# Terminal 2 -- unauthenticated (finds 22 issues)
python scanner.py http://localhost:5000 --depth 2

# Terminal 2 -- authenticated (finds 25 issues including auth bypass)
python scanner.py http://localhost:5000 --depth 2 --auth-user admin --auth-pass password123
```

---

## Docker Setup

### Scanner Only

```bash
docker build -t webvulnscan .
docker run --rm -v $(pwd)/reports:/app/reports \
  webvulnscan http://host.docker.internal:5000 --depth 2
```

### Full Stack (Scanner + OWASP ZAP + DVWA)

The included `docker-compose.yml` sets up the scanner alongside OWASP ZAP and [DVWA](https://github.com/digininja/DVWA) (Damn Vulnerable Web Application) for a complete testing environment.

```bash
# Start ZAP and DVWA
docker compose up -d zap dvwa

# Wait ~30s for ZAP health check, then scan DVWA
docker compose run scanner http://dvwa \
  --zap \
  --zap-proxy http://zap:8080 \
  --zap-api-key vuln-scanner-key \
  --depth 2

# View DVWA in your browser at http://localhost:8888
# Default login: admin / password

# Tear down
docker compose down
```

### Other Practice Targets

These intentionally vulnerable applications can be run locally with Docker:

| App | Command | Scan URL |
|-----|---------|----------|
| **DVWA** | Included in `docker-compose.yml` | `http://localhost:8888` |
| **OWASP Juice Shop** | `docker run -p 3000:3000 bkimminich/juice-shop` | `http://localhost:3000` |
| **WebGoat** | `docker run -p 8080:8080 webgoat/webgoat` | `http://localhost:8080/WebGoat` |

---

## Project Structure

```
webvulnscan/
โ”œโ”€โ”€ scanner.py                  # Main entry point and scan orchestrator
โ”œโ”€โ”€ modules/
โ”‚   โ”œโ”€โ”€ crawler.py              # BFS web crawler with ThreadPoolExecutor
โ”‚   โ”œโ”€โ”€ header_analyzer.py      # Security header and server version checks
โ”‚   โ”œโ”€โ”€ directory_scanner.py    # Open directory and sensitive file probing
โ”‚   โ”œโ”€โ”€ sqli_scanner.py         # SQL injection detection (safe payloads)
โ”‚   โ”œโ”€โ”€ xss_scanner.py          # Reflected XSS detection (canary-based)
โ”‚   โ”œโ”€โ”€ tech_fingerprint.py     # Technology identification from signatures
โ”‚   โ”œโ”€โ”€ auth_scanner.py         # Authentication and access control scanning
โ”‚   โ”œโ”€โ”€ zap_integration.py      # OWASP ZAP REST API client
โ”‚   โ””โ”€โ”€ report_generator.py     # JSON and HTML report output
โ”œโ”€โ”€ test_app/
โ”‚   โ””โ”€โ”€ test_app.py             # Intentionally vulnerable Flask app
โ”œโ”€โ”€ reports/                    # Generated scan reports
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ Dockerfile
โ””โ”€โ”€ docker-compose.yml          # Full stack: scanner + ZAP + DVWA
```

---

## How It Works

The scanner runs a 7-step pipeline, with optional authentication and ZAP steps:

```
0. AUTH (opt.)   -> Log in via form, cookie, or HTTP header
1. CRAWL         -> BFS discovery of URLs, forms, and query parameters
2. FINGERPRINT   -> Identify technologies from headers, cookies, and HTML
3. HEADERS       -> Audit security headers, server versions, and cookies
4. DIRECTORIES   -> Probe 60+ common paths for exposed resources
5. SQLi          -> Test each parameter with error-based and boolean payloads
6. XSS           -> Test each parameter with context-aware canary payloads
7. AUTH SCAN     -> Check session fixation, token quality, access control, auth bypass
8. ZAP (opt.)    -> Spider + active scan via the ZAP REST API
9. REPORT        -> Generate JSON + HTML reports with security score
```

### Safe Payloads

All injection payloads are designed to be non-destructive:

- **SQLi payloads** trigger detectable database errors or boolean response differences without modifying data. Examples: `' OR '1'='1`, `1' ORDER BY 1--`
- **XSS payloads** use unique canary strings (e.g., `XSS_CANARY_7291`) that can be detected in responses without executing harmful code
- **SSTI probes** use arithmetic (`{{7*7191}}`) to detect template evaluation by checking for the computed result (`50337`) in the response

---

## Sample Report

Running an authenticated scan against the included test app:

```
[0/7] Authenticating...
      Login URL: http://localhost:5000/login
      Fields detected: username='username', password='password'
      [+] Login successful!

[*] Scanning as authenticated user

[1/7] Crawling target for URLs and forms...
      Found 12 URLs, 5 forms, 2 parameterized URLs

[2/7] Fingerprinting technologies...
      Detected: Apache 2.4.29
      Detected: PHP 7.2.10

[3/7] Analyzing server headers...
      Found 10 header-related issues

[4/7] Scanning for open directories...
      Found 4 open directories/files

[5/7] Testing for SQL injection points...
      Found 2 potential SQLi points

[6/7] Testing for reflected XSS...
      Found 5 potential XSS reflections

[7/7] Scanning for authentication issues...
      Found 4 authentication issues

=======================================================
  SCAN SUMMARY
=======================================================
  Total findings:  25
    CRITICAL    3
    HIGH        8
    MEDIUM      8
    LOW         6
=======================================================
```

### Security Score

The HTML report includes a percentage-based security score:

| Score | Meaning |
|-------|---------|
| 100% | No issues found |
| 75%+ | Minor issues only |
| 50-74% | Moderate risk, some significant findings |
| 25-49% | High risk, multiple serious vulnerabilities |
| 0-24% | Critical risk, immediate attention required |

The scoring uses diminishing returns so the first findings of each severity level have the most impact, and additional ones contribute progressively less.

### HTML Report Contents

- **Security score** with color-coded percentage
- **Summary cards** with finding counts by severity level
- **Technology list** of detected server software, frameworks, and libraries
- **OWASP distribution chart** with findings grouped by category
- **Detailed findings** each with severity badge, description, evidence, remediation, and OWASP mapping
- **Crawled URL list** of all discovered pages

---

## Tool Comparison

| Feature | WebVulnScan | Burp Suite | OWASP ZAP |
|---------|-------------|------------|-----------|
| Open source | Yes | No (Pro) | Yes |
| Custom payloads | Easy to modify | Yes | Yes |
| GUI | HTML report | Full GUI | Full GUI |
| Active scanning | Basic | Advanced | Advanced |
| Authentication | Form, cookie, header | Full support | Full support |
| Extensibility | Python modules | BApp Store | Add-ons |
| Learning value | High | Medium | Medium |

Use **Burp Suite Community Edition** for manual testing alongside this scanner. Use the **ZAP integration** (`--zap` flag) for automated comparison of findings.

---

## Extending the Scanner

### Add Custom Directory Paths

```python
from modules.directory_scanner import DirectoryScanner

scanner = DirectoryScanner(
    target,
    extra_paths=["/api/internal", "/debug/vars", "/.dockerenv"]
)
```

### Add Custom SQLi Payloads

```python
# Append to SQLiScanner.ERROR_BASED_PAYLOADS:
("' UNION SELECT NULL,NULL,NULL--", "UNION column enumeration")
```

### Add New Detection Modules

Create a new file in `modules/` following this pattern:

```python
class MyScanner:
    def __init__(self, rate_limit=10.0):
        # setup
        pass

    def scan(self, crawl_data):
        findings = []
        # your detection logic
        findings.append({
            "type": "my_finding",
            "severity": "medium",        # critical, high, medium, low, info
            "title": "Description",
            "url": "http://...",
            "detail": "What was found",
            "remediation": "How to fix it",
            "owasp_category": "A01:2021 - Broken Access Control",
        })
        return findings
```

Then wire it into `scanner.py` in the `run_scan()` function.

---

## Learning Outcomes

Building and using this project teaches:

| Topic | What You'll Learn |
|-------|-------------------|
| **Web Vulnerabilities** | How SQL injection, XSS, and misconfigurations work at the HTTP level |
| **Input Validation** | Why parameterized queries and output encoding are essential defenses |
| **HTTP Security** | The purpose of headers like CSP, HSTS, X-Frame-Options, and cookie flags |
| **Authentication** | Session management, token security, and access control patterns |
| **OWASP Top 10** | Mapping real findings to the industry-standard vulnerability taxonomy |
| **Responsible Disclosure** | How to report findings ethically with proper evidence and remediation |
| **Report Writing** | Structuring vulnerability reports for technical and non-technical audiences |
| **Tool Integration** | Working with OWASP ZAP's REST API programmatically |
| **Concurrent Programming** | Thread pools, rate limiting, and safe shared state in Python |

---


  Built for learning. Use responsibly.
  Created by Johnathan Duque