A modular, queue-driven web application security scanner built with Laravel and Vue.js. Inspired by tools like Burp Suite, it crawls target websites, discovers endpoints, executes OWASP Top 10 vulnerability checks, and generates detailed security reports — all through a clean SPA dashboard.
⚠️ This tool is intended for educational purposes only.This scanner must only be used for:
- Educational purposes — to learn how web vulnerabilities work
- Your own websites — applications you own and control
- Authorized penetration testing — with explicit written permission from the target owner
Do NOT use this tool to attack, scan, or probe websites you do not own or have permission to test. Unauthorized security scanning may be illegal under computer fraud and abuse laws in your jurisdiction (e.g. the Computer Fraud and Abuse Act in the US, the Computer Misuse Act in the UK, and similar laws elsewhere).
The developers of this tool are not responsible for any misuse or damage caused by this software.
- Web Crawler — Automatically discovers links, forms, and query parameters up to a configurable depth
- Plugin-Based Vulnerability Detection — Modular security plugins for each vulnerability type
- OWASP Top 10 Coverage — SQL Injection, XSS, Security Headers, Open Redirect
- Queue-Driven Pipeline — Asynchronous scanning via Laravel Jobs & Queues
- Real-Time Status Tracking — Monitor scan progress from
pending→running→completed - Detailed Reports — Severity-rated findings with proof of concept and remediation advice
- Vulnerability Management — Mark findings as
open,ignored, orfixed - Authentication — Full user auth (register, login, email verification) via Laravel Fortify
| Technology | Version |
|---|---|
| PHP | ^8.3 |
| Laravel | ^13.0 |
| Inertia.js (Laravel) | ^3.0 |
| Laravel Fortify | ^1.34 |
| Laravel Wayfinder | ^0.1 |
| Laravel Queues | Built-in |
| Technology | Version |
|---|---|
| Vue.js | ^3.5 |
| Inertia.js (Vue) | ^3.0 |
| Tailwind CSS | ^4.1 |
| TypeScript | ^5.2 |
| Vite | ^8.0 |
| Reka UI | ^2.6 |
| Lucide Icons | ^0.468 |
The scanner is built around a modular pipeline of Laravel Jobs:
User submits URL
↓
Create Scan Record
↓
StartScanJob → Sets status to "running"
↓
CrawlJob → Crawls target URL, discovers endpoints & forms
↓
ScanEndpointJob → Runs per endpoint (parallel), executes all security plugins
↓
GenerateReportJob → Marks scan "completed", finalizes report
| Plugin | Detects | Severity |
|---|---|---|
| SQL Injection | DB error patterns when SQL payloads are submitted | High / Critical |
| XSS | Reflected unencoded script tags / event handlers | Medium / High |
| Security Headers | Missing CSP, HSTS, X-Frame-Options, etc. | Low / Medium / High |
| Open Redirect | Unvalidated redirect destinations | Medium |
app/
├── Jobs/ # Queue jobs (StartScan, Crawl, ScanEndpoint, GenerateReport)
├── Models/ # Scan, Endpoint, Payload, Vulnerability
├── Repositories/ # ScanRepository, EndpointRepository, VulnerabilityRepository
├── Contracts/ # SecurityPluginInterface
├── SecurityPlugins/
│ ├── SQLInjection/
│ ├── XSS/
│ ├── Headers/
│ └── OpenRedirect/
└── Services/
├── Crawler/ # CrawlerService
├── Scanner/ # ScannerService
├── Detection/ # DetectionService
└── Reporting/ # ReportingService
- PHP 8.3+
- Composer
- Node.js & npm
- SQLite (default) or MySQL/PostgreSQL
- Redis (optional, for production queues)
1. Clone the repository
git clone https://github.com/shebisabeen/web-scanner.git
cd web-scanner2. One-command setup
composer run setupThis will:
- Install PHP dependencies
- Copy
.env.exampleto.env - Generate the application key
- Run database migrations
- Install Node dependencies
- Build frontend assets
3. Seed the database with payloads
php artisan db:seedDevelopment (all services in one command):
composer run devThis starts concurrently:
php artisan serve— Laravel dev server athttp://localhost:8000php artisan queue:listen— Queue worker for processing scansphp artisan pail— Real-time log tailingnpm run dev— Vite HMR for frontend
⚠️ The queue worker must be running for scans to execute. Without it, scans will remain inpendingstatus.
Navigate to http://localhost:8000/register to create an account, or use the seeded test account:
- Email:
test@example.com - Password: (see
database/seeders/DatabaseSeeder.php)
Go to http://localhost:8000/scans/create and fill in:
| Field | Description |
|---|---|
| Target URL | Full URL of the site to scan (e.g. https://example.com) |
| Scan Type | Full (all checks), Quick (headers only), or Custom |
| Crawl Depth | How many link levels deep to crawl (1–5) |
⚠️ Only scan websites you own or have explicit written permission to test.
After submitting, you're redirected to the scan report page. Refresh to see live updates as vulnerabilities are discovered.
| Status | Meaning |
|---|---|
pending |
Waiting for queue worker |
running |
Crawler and plugins are active |
completed |
Report generated |
failed |
An error occurred |
The scan report shows:
- Summary cards — Total, Critical, High, Medium, Low counts
- Vulnerability list — Each finding with severity, type, affected endpoint, proof of concept, and remediation steps
At /scans/{id}/vulnerabilities, update each finding's status:
| Status | Meaning |
|---|---|
open |
Unresolved |
ignored |
Acknowledged, not fixing |
fixed |
Remediated |
| Page | URL | Auth Required |
|---|---|---|
| Welcome | / |
No |
| Register | /register |
No |
| Login | /login |
No |
| Dashboard | /dashboard |
✅ |
| All Scans | /scans |
✅ |
| New Scan | /scans/create |
✅ |
| Scan Report | /scans/{id} |
✅ |
| Vulnerabilities | /scans/{id}/vulnerabilities |
✅ |
| Profile Settings | /settings/profile |
✅ |
| Security Settings | /settings/security |
✅ |
| Column | Type | Description |
|---|---|---|
target_url |
string | URL being scanned |
status |
string | pending, running, completed, failed |
scan_type |
string | full, quick, custom |
depth |
integer | Crawl depth (default: 2) |
started_at |
timestamp | When scan began |
completed_at |
timestamp | When scan finished |
| Column | Type | Description |
|---|---|---|
scan_id |
foreignId | Parent scan |
url |
text | Discovered URL |
method |
string | GET or POST |
parameters |
json | Discovered parameters |
type |
string | form, api, url_param |
| Column | Type | Description |
|---|---|---|
type |
string | sqli, xss, header, etc. |
payload |
text | The attack payload string |
risk_level |
string | Risk classification |
| Column | Type | Description |
|---|---|---|
scan_id |
foreignId | Parent scan |
endpoint_id |
foreignId | Affected endpoint |
type |
string | Vulnerability type |
severity |
string | low, medium, high, critical |
description |
text | What was found |
proof_of_concept |
longText | Evidence / payload used |
recommendation |
text | How to fix it |
status |
string | open, ignored, fixed |
# Run all tests
php artisan test --compact
# Run a specific test file
php artisan test --compact tests/Feature/ExampleTest.php
# Run with a filter
php artisan test --compact --filter=testName# Format PHP code
vendor/bin/pint
# Lint frontend
npm run lint
# Format frontend
npm run format
# Type check
npm run types:check
# Build for production
npm run build
# Generate Wayfinder route types
php artisan wayfinder:generateScan stays in "pending"
php artisan queue:workScan fails immediately
- Verify the target URL is reachable from the server
- Check logs:
storage/logs/laravel.log - Tail logs in real time:
php artisan pail
No vulnerabilities found
- Ensure payloads are seeded:
php artisan db:seed --class=PayloadSeeder - The target site may not have the tested vulnerabilities
- The crawler may not have found endpoints with injectable parameters
Frontend changes not reflected
npm run build
# or keep running:
npm run dev- Authenticated scanning (session-based login to target apps)
- Headless browser support via Playwright
- API scanning via Swagger/OpenAPI specs
- CI/CD pipeline integration
- Multi-tenant SaaS model
Try the live hosted version of the scanner without any local setup.
To verify the scanner is working correctly, you can use the following intentionally vulnerable test website:
This URL is provided specifically for testing this scanner. It is a deliberately vulnerable site — do not use it for any purpose other than testing this tool.
This project is open-sourced under the MIT license.