WEB-Scanner 1.5 released. For more info check the release section
The WEB-Scanner is a sophisticated, Python-based tool meticulously designed to automate the detection and analysis of critical security vulnerabilities in web applications. This project serves as an essential resource for security professionals, developers, and penetration testers who are committed to proactively identifying, assessing, and remediating security risks, thereby fortifying the integrity and resilience of their applications against an ever-evolving threat landscape.
- Main Thing: This script create a output named folder autometically and save the log & text file in itself. It also ask for the name of that files. User can scan multiple website in it and they don't mixed up in the output folder. This script give you upto 85% accuracy on scan.
Always run this script in root user.
The scanner employs a multi-faceted approach to identify a wide array of vulnerabilities, including:
-
SQL Injection: Utilizes advanced payloads and techniques to detect vulnerabilities that allow attackers to manipulate SQL queries, potentially leading to unauthorized data access or data manipulation.
-
Cross-Site Scripting (XSS): Implements various attack vectors to identify injection points for malicious scripts, assessing both reflected and stored XSS vulnerabilities with precision.
-
Cross-Site Request Forgery (CSRF): Evaluates the application’s defenses against unauthorized actions performed on behalf of authenticated users, including token validation checks and session management vulnerabilities.
-
File Inclusion: Conducts thorough assessments for Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities, analyzing server responses for sensitive data exposure and potential remote code execution.
-
Command Injection: Tests for vulnerabilities that enable attackers to execute arbitrary commands on the server, utilizing a diverse range of payloads to assess the application’s command execution capabilities.
The scanner generates detailed, structured reports that include:
-
Vulnerability Type: Clear classification of the detected issue, including Common Vulnerability Scoring System (CVSS) scores for risk assessment.
-
Location: Specific URL or endpoint where the vulnerability was identified, along with the parameters involved.
-
Description: In-depth explanation of the vulnerability, its potential impact, and recommended remediation strategies, including code snippets and best practices.
-
Severity Level: Risk categorization (e.g., Critical, High, Medium, Low) based on the potential impact on the application and its users, with prioritization for remediation.
The tool maintains a comprehensive log of all scanning activities, including timestamps, detected vulnerabilities, and any errors encountered. This feature is crucial for compliance audits, post-scan reviews, and forensic analysis.
Designed with a modular architecture, the scanner allows for easy extension and integration of additional vulnerability checks. Users can customize the scanner to suit specific testing requirements or to incorporate new vulnerability detection techniques, leveraging a plugin system for third-party contributions.
- Programming Language: Python 3.x
- Key Libraries:
requests: For making HTTP requests and handling responses efficiently, with support for session management and cookie handling.subprocess: For executing system commands, such as checking for dependencies and running external tools.logging: For tracking and documenting the scanner's activities in a structured manner, with customizable log levels.argparse: For handling command-line arguments, enhancing user interaction and flexibility.BeautifulSoupandlxml: For parsing and analyzing HTML responses to identify potential vulnerabilities.
-
Clone the Repository:
Clone the repository to your local machine using:git clone https://github.com/CYBER-4RMY/WEB-Scanner.git
-
Run the Scanner:
Execute the scanner script, providing the target URL for assessment:sudo python3 WEB-Scanner.py or Run in sudo user
- Review the Report:
After the scan completes, review the generated report for any identified vulnerability.
This tool is intended for educational purposes and ethical testing only. Users must ensure they have explicit permission to scan any target application to comply with legal and ethical standards. Unauthorized scanning of web applications may violate laws and regulations, and users are responsible for their actions.
Contributions to enhance the functionality and effectiveness of the scanner are highly encouraged. If you have suggestions, bug reports, or feature requests, please open an issue or submit a pull request. Contributions should adhere to the project's coding standards and include appropriate documentation.
This project is licensed under the MIT License. See the LICENSE file for more details. This allows for both personal and commercial use, provided that the original license and copyright notice are included in all copies or substantial portions of the software.
We would like to acknowledge the contributions of the open-source community and various security researchers whose work has informed the development of this scanner. Special thanks to the OWASP Foundation for their invaluable resources and guidelines on web application security.
The WEB-Scanner is a powerful tool that empowers users to take control of their web application security. By automating the detection of vulnerabilities and providing actionable insights, this scanner plays a crucial role in safeguarding applications against potential threats. We invite you to explore the project, contribute, and join us in the mission to enhance web security for all.