Skip to content

striweb/Web-Security-Vulnerability-Scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
check.py
check.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Web Security Vulnerability Scanner

This Python-based security vulnerability scanner, developed by Striweb, is designed to automate the process of identifying common web vulnerabilities in a given website. The tool tests for issues like missing security headers, rate limiting, brute-force login vulnerabilities, file upload weaknesses, CORS misconfigurations, HTTP parameter pollution, and open redirect flaws. Additionally, it performs subdomain enumeration to detect potential subdomains.

Features

  • Security Headers Check: Detects common security headers such as X-Frame-Options, Strict-Transport-Security, and others.
  • Rate Limiting Test: Attempts multiple requests to detect rate limiting mechanisms.
  • Brute-Force Login Attack: Tries common username/password combinations to identify weak login forms.
  • File Upload Vulnerability Test: Simulates file uploads to detect improper handling of dangerous file types.
  • HTTP Parameter Pollution (HPP): Tests if the server is vulnerable to parameter pollution attacks.
  • CORS Misconfiguration: Detects if cross-origin resource sharing is misconfigured, which could expose sensitive data.
  • Open Redirect: Checks if the website is vulnerable to open redirects, allowing attackers to redirect users to malicious sites.
  • Subdomain Enumeration: Finds common subdomains associated with the target domain.

Installation

  1. Clone the repository:

    git clone https://github.com/striweb/web-vulnerability-scanner.git
cd web-vulnerability-scanner

  2. Install the required Python packages:

    pip install -r requirements.txt

  3. Run the script:

    python scanner.py

Usage

  1. URL Input: The script prompts for the URL of the website to test (e.g., https://example.com).
  2. Subdomain Enumeration: Automatically detects and tests subdomains like www, admin, api, etc.
  3. HTML Report Generation: After running the tests, the tool generates a comprehensive HTML report, which can be saved to a specified file.

Example

Enter the website URL to test (e.g., https://example.com): https://yourwebsite.com
Enter the file name to save the report (or press Enter to skip saving): report.html

The report will be saved as report.html in the current directory.

Customization

  • XSS Payloads: The scanner uses basic XSS payloads but can be extended by adding more sophisticated payloads to the XSS_PAYLOADS list.
  • Brute-Force Credentials: Add more common username and password combinations to the BRUTE_FORCE_CREDENTIALS list.
  • File Upload Testing: Modify the files_to_test dictionary to test for additional file types and formats.

Disclaimer

This tool is for educational purposes and legal penetration testing only. Unauthorized use of this tool against websites without permission is illegal. Always obtain proper authorization before running scans against any system.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Authored by Striweb.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages