A modern, full-stack vulnerability scanner with a sleek Next.js frontend and Python Flask backend. This tool crawls target websites, detects SQL Injection, XSS, and missing security headers, and provides real-time scanning with detailed reports.
- Web Crawler: Automatically discovers pages by following links within the same domain
- Vulnerability Detection:
- SQL Injection: Tests for SQLi flaws with payload injection
- Cross-Site Scripting (XSS): Checks for reflected XSS vulnerabilities
- Security Headers: Verifies CSP, X-Frame-Options, X-Content-Type-Options
- Real-time Scanning: Live progress updates via Server-Sent Events (SSE)
- Scan History: Persistent storage of past scans with statistics
- Detailed Reports: Interactive report pages with severity classification and PDF export
- Modern UI: Dark theme, responsive design with Next.js + Tailwind + shadcn/ui
- Configurable Settings: Adjust scan depth, timeouts, and report preferences
Entry point with URL input, scan depth selection (Quick/Standard/Deep), and dashboard statistics.
Real-time scan progress with terminal-style log output, progress bar, and discovered paths sidebar.
Complete scan history table with filtering, vulnerability breakdown by severity, and quick access to reports.
Configure scanner defaults, API connection, and report preferences with persistent storage.
Frontend:
- Next.js 15+ (App Router)
- TypeScript
- Tailwind CSS
- shadcn/ui
- Server-Sent Events (SSE)
Backend:
- Python 3.8+
- Flask
- Flask-CORS
webVulnerabilityScanner/
├── frontend/ # Next.js frontend
│ ├── app/ # Route pages
│ ├── components/ # React components
│ ├── lib/ # Utilities (API, storage)
│ ├── types/ # TypeScript interfaces
│ └── package.json
├── screenshots/ # App screenshots
├── app.py # Flask main app
├── crawler.py # Web crawler logic
├── vuln_scanner.py # Vulnerability detection
├── reporter.py # Report generation
├── main.py # CLI entry point
├── requirements.txt # Python dependencies
└── README.md
-
Clone the repository:
git clone https://github.com/vinamra1102/webVulnerabilityScanner.git cd webVulnerabilityScanner -
Install Python dependencies:
pip install -r requirements.txt pip install flask-cors
-
Start the Flask backend:
python app.py
Backend runs on
http://localhost:5000
-
Navigate to frontend directory:
cd frontend -
Install dependencies:
npm install
-
Start the dev server:
npm run dev
Frontend runs on
http://localhost:3000
- Open
http://localhost:3000 - Enter target URL (e.g.,
http://testphp.vulnweb.com) - Select scan depth: Quick (~1 min), Standard (~5 min), or Deep (~30 min)
- Click "Start Scan" and watch real-time progress
- View detailed report with severity breakdown
- Download PDF report or check history
python main.py <target_url>Example:
python main.py http://testphp.vulnweb.comA scan_report.json will be generated with results.
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/scan |
Start a new scan |
| GET | /api/scan/stream?scan_id=X |
SSE stream for live progress |
| GET | /api/report/[id] |
Get scan report |
| GET | /api/report/[id]/download |
Download PDF report |
| GET | /api/history |
Get scan history |
| POST | /api/test-connection |
Test backend connectivity |
- Scan depth: Quick, Standard, or Deep (pre-fills on home page)
- Max crawl depth: How many link hops to follow (default: 3)
- Request timeout: Seconds before giving up on a request (default: 5)
- Backend URL: Flask API endpoint (default:
http://localhost:5000) - Auto-download PDF: Automatically save reports after scans
- Report title: Custom text for PDF cover page
All settings persist in browser localStorage.
- SQLi/XSS detection is basic — expanding payload sets planned
- Scans are currently synchronous — async/background tasks planned
- No authentication/authorization yet
- Limited to HTTP(S) scanning
This tool is for educational and authorized testing only. Unauthorized scanning of websites is illegal. Always obtain written permission before testing. The author is not responsible for misuse.
MIT
Pull requests welcome. Please test thoroughly before submitting.