β οΈ Disclaimer: This tool is for educational and authorized security testing purposes only. Using this tool against systems without explicit written permission is illegal and unethical. The authors assume no liability for misuse.
A production-grade, modular Web Application Vulnerability Scanner targeting OWASP Top 10 vulnerabilities, with primary focus on SQL Injection (SQLi) and Cross-Site Scripting (XSS).
Built with clean architecture, thread-based concurrency, configurable depth, and professional-quality reporting.
| Feature | Details |
|---|---|
| π·οΈ Recursive Crawler | BFS crawling with domain scope enforcement and depth limits |
| π― Attack Surface Detection | Forms (GET/POST), URL query parameters, textarea/select inputs |
| π SQLi Detection | Error-based (MySQL/PostgreSQL/MSSQL/SQLite/Oracle), boolean-based |
| π XSS Detection | Reflected payload detection with contextual marker analysis |
| β‘ Concurrent Scanning | Thread-pool-based injection with configurable worker count |
| π¦ Rate Limiting | Token-bucket algorithm to avoid overwhelming targets |
| π Dual Reports | JSON (machine-readable) + HTML (styled dashboard) output |
| π§ Extensible Design | Plugin-style payload registry for adding new vuln categories |
| π³ Docker Support | Non-root containerized execution |
| π Structured Logging | INFO/DEBUG/WARNING/ERROR levels, file + console output |
scanner/
βββ main.py β CLI entry point & pipeline orchestrator
βββ config.py β Global settings, constants, defaults
βββ crawler.py β BFS URL discovery engine
βββ extractor.py β Form & query parameter surface extraction
βββ payloads.py β Centralized, extensible payload registry
βββ injector.py β Concurrent payload injection engine
βββ analyzer.py β Response analysis & vulnerability classification
βββ reporter.py β JSON + HTML report generation
βββ utils.py β Shared: logging, HTTP session, rate limiter, URL utils
βββ requirements.txt
Dockerfile
README.md
[Target URL]
β
βΌ
[Crawler] ββββ BFS, domain-scoped βββββΊ [URL List]
β
βΌ
[SurfaceExtractor] ββ HTML parse ββββββΊ [Forms + Query Params]
β
βΌ
[Injector] ββββ Thread Pool βββββββββββΊ [Baseline + Injected Responses]
β
βΌ
[ResponseAnalyzer] ββ Pattern Match βββΊ [Vulnerability Findings]
β
βΌ
[ReportGenerator] βββββββββββββββββββββΊ [JSON Report] + [HTML Dashboard]
- Python 3.9+
- pip
git clone https://github.com/yourusername/vulnscanner.git
cd vulnscanner
# Create virtual environment (recommended)
python -m venv venv
source venv/bin/activate # Linux/macOS
venv\Scripts\activate # Windows
# Install dependencies
pip install -r scanner/requirements.txtpython scanner/main.py --url http://testphp.vulnweb.com --depth 2python scanner/main.py \
--url http://testphp.vulnweb.com \
--depth 3 \
--output my_report \
--format html \
--threads 8 \
--rate-limit 5 \
--timeout 10| Flag | Default | Description |
|---|---|---|
--url URL |
(required) | Target base URL |
--depth N |
2 |
Crawl depth from seed URL |
--output PATH |
scan_report |
Output file path (no extension) |
--format {html,json,both} |
html |
Report format |
--threads N |
8 |
Concurrent injection workers |
--rate-limit RPS |
5.0 |
Max requests per second |
--timeout SEC |
10 |
Per-request timeout |
--no-sqli |
β | Disable SQL injection scanning |
--no-xss |
β | Disable XSS scanning |
--cookie NAME=VALUE |
β | Add session cookie (repeatable) |
--header NAME:VALUE |
β | Add HTTP header (repeatable) |
-v, --verbose |
β | Enable DEBUG logging |
python scanner/main.py \
--url http://target.com \
--cookie "PHPSESSID=abc123def456" \
--depth 2# Build
docker build -t vulnscanner .
# Run
docker run --rm vulnscanner \
--url http://testphp.vulnweb.com \
--depth 2 \
--format bothThe payload registry supports runtime extension:
from scanner.payloads import PayloadStore, Payload
store = PayloadStore()
# Register a new category
store.register_category("xxe", [
Payload(
value='<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>',
category="xxe",
technique="file_read",
description="XXE file read probe",
)
]) ___ _____ ___
| | / \ /
|___| | | ___ ___ |___
| \ | | / \/ \ |
| \ \______/ \___/\___/ \____/
VulnScanner v1.0.0
=== Phase 1: Crawling ===
Discovered 24 URL(s).
=== Phase 2: Extracting Attack Surfaces ===
Found injectable surfaces in 8 URL(s).
=== Phase 3: Injection & Analysis ===
[SQLi/error_based] MySQL DB error detected at http://testphp.vulnweb.com/listproducts.php (param: cat)
[XSS/reflected] Payload reflected at http://testphp.vulnweb.com/search.php (param: searchFor)
=== Phase 4: Generating Report ===
β HTML Report: /path/to/scan_report.html
β JSON Report: /path/to/scan_report.json
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SCAN SUMMARY
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Target : http://testphp.vulnweb.com
URLs Scanned : 24
Duration : 18.4s
Total Findings : 5
High Severity : 3
Medium Severity : 2
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Vulnerability | OWASP Category | Severity | Techniques |
|---|---|---|---|
| SQL Injection | A03:2021 | HIGH | Error-based, Boolean-based, Time-based |
| Reflected XSS | A03:2021 | MEDIUM | Reflection, Marker detection |
Additional modules (CSRF, IDOR, SSRF, XXE) can be added via the plugin system.
- No monolithic script: Each concern (crawl/extract/inject/analyze/report) is a separate module with a well-defined interface.
- Typed dataclasses:
AttackSurface,Vulnerability,BaselineResponsecarry structured data instead of raw dicts. - Baseline comparison: Every injected request is compared against a cached baseline to detect boolean-based SQLi and reduce false positives.
- Token-bucket rate limiter: Thread-safe implementation prevents accidental DoS of the target.
- Structured logging: All modules use
logging.getLogger(__name__)β configurable at the root level frommain.py.
MIT License β see LICENSE for details.
Built for educational use, security research, and authorized penetration testing. Always obtain written permission before scanning any system you do not own.