Passive vulnerability scanner for Laravel & WordPress sites — checks security headers, exposed files, debug modes, and known-vulnerable plugins.
A lightweight, browser-based PHP scanner that performs read-only / non-intrusive security checks against a target web application. It detects common misconfigurations and matches detected versions against a CVE database — without firing a single exploit payload.
Only scan websites you own or have written permission to test.
Unauthorized scanning of third-party websites may violate computer-misuse laws in your jurisdiction (e.g. the Computer Fraud and Abuse Act in the United States, the Computer Misuse Act in the United Kingdom, and similar laws elsewhere).
This tool requires you to tick a consent checkbox before every scan. By using it, you accept full responsibility for ensuring you have authorization to scan the target.
The scanner runs a chain of passive checks against the target URL:
- Missing security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Server / X-Powered-By version disclosure
- Exposed sensitive files —
.env,.git/config,.DS_Store,composer.lock,package.json,phpinfo.php, backup archives
APP_DEBUG=truein production (with stack trace exposure)- Publicly accessible Laravel Telescope
- Publicly accessible Laravel Horizon
- Exposed Laravel Debugbar
- Laravel version disclosure
- WordPress version detection (meta tag + RSS fallback)
- Plugin enumeration from page source
- CVE matching against detected plugin versions
xmlrpc.phpexposure (brute-force amplification vector)- User enumeration via REST API (
/wp-json/wp/v2/users) /readme.htmlaccessibility
Each finding includes:
- Severity (Critical / High / Medium / Low)
- What was observed
- The attack vector that exploits it
- The remediation step
This scanner is deliberately scoped to passive recon. It will not:
- Fire SQLi / XSS / RCE payloads against the target
- Attempt logins or brute-force credentials
- Upload files or POST data to the target
- Perform DoS or rate-flood the target
If you need active testing, use a dedicated pentest framework with proper engagement scoping — OWASP ZAP, Burp Suite, Nuclei, or WPScan.
- PHP 8.0+ (uses
match,str_contains, named arguments) - PHP cURL extension (bundled with XAMPP)
- A webserver — Apache (XAMPP / WAMP / MAMP) or
php -Sworks fine
- Install XAMPP.
- Clone this repo into
htdocs/:cd C:/xampp/htdocs git clone https://github.com/RaashidMalla/Web-Security-Scanning-Script.git - Start Apache from the XAMPP control panel.
- Open
http://localhost/Web-Security-Scanning-Script/in your browser.
git clone https://github.com/RaashidMalla/Web-Security-Scanning-Script.git
cd Web-Security-Scanning-Script
php -S localhost:8000Then open http://localhost:8000/.
- Open the scanner in your browser.
- Enter the target URL (e.g.
https://my-site.test). - Tick the "I confirm I am authorized to scan this target" checkbox.
- Click Run Scan.
- Review the report — findings are sorted Critical → Low.
Detected stack: WordPress Version: 6.2.1 Findings: 7
CRITICAL .env file exposed
APP_KEY and DB credentials are publicly readable.
Attack: full credential takeover.
Fix: move .env outside docroot, rotate all secrets.
HIGH Vulnerable plugin: contact-form-7 v5.3.1
CVE-2020-35489 — Unrestricted file upload bypass.
Attack: upload disguised .php for RCE.
Fix: update Contact Form 7 to ≥5.3.2.
MEDIUM Missing Content-Security-Policy
...
Web-Security-Scanning-Script/
├── index.php # Web UI + form handler
├── lib/
│ ├── Scanner.php # Orchestrator
│ ├── Http.php # cURL wrapper
│ └── Checks/
│ ├── Headers.php # Security headers
│ ├── ExposedFiles.php # Sensitive file probes
│ ├── Laravel.php # Laravel-specific checks
│ └── WordPress.php # WordPress-specific checks
├── data/
│ └── wp_plugin_vulns.json # CVE database (sample)
├── assets/
│ └── style.css # Report styling
└── README.md
Edit lib/Checks/ExposedFiles.php and add a row to the PATHS constant. No code changes needed.
Edit data/wp_plugin_vulns.json — keys are plugin slugs, values are arrays of vulnerability records.
- Create
lib/Checks/Drupal.php(or whatever) following the same shape asLaravel.php. - Extend
Scanner::fingerprint()to detect the new stack. - Wire it into
Scanner::run().
Wrap Scanner in a small CLI entry script that reads $argv[1] and prints json_encode($result).
- Auto-sync the WP vulnerability database from the WPScan API
- Drupal and Joomla check modules
- JSON output mode for CI/CD pipelines
- CLI entry point
- Rate-limiting between requests (be kinder to targets)
- Scan history with SQLite
Pull requests welcome. Good first contributions:
- Add CVE entries to
data/wp_plugin_vulns.json. - Add new exposed-file signatures to
lib/Checks/ExposedFiles.php. - Improve fingerprinting heuristics in
lib/Scanner.php.
Please make sure any new check follows the standard finding shape:
[
'severity' => 'High',
'title' => 'Short label',
'detail' => 'What was observed',
'attack' => 'How it can be abused',
'fix' => 'How to remediate',
]MIT — see LICENSE.
This software is provided for educational purposes and authorized security testing only. The authors accept no liability for misuse. Scanning systems without explicit permission are illegal in most jurisdictions, and this tool is no exception in that regard. Use responsibly.