A Python-based automated security testing tool designed to identify common web application vulnerabilities such as SQL Injection (SQLi), Blind SQL Injection, Cross-Site Scripting (XSS), and missing security headers.
Web applications are among the most frequently targeted systems in modern cybersecurity. Manual vulnerability testing can be time-consuming and requires significant expertise. This project automates the process of identifying common web vulnerabilities through crawling, payload injection, and response analysis.
The scanner was developed as an educational cybersecurity project to demonstrate practical vulnerability assessment techniques and web security concepts.
- Automated Web Crawling
- Form Discovery and Extraction
- SQL Injection Detection
- Blind SQL Injection Detection (Boolean-Based)
- Time-Based SQL Injection Detection
- Cross-Site Scripting (XSS) Detection
- Security Header Analysis
- JSON Report Generation
- DVWA Integration for Testing
| Technology | Purpose |
|---|---|
| Python | Core Development |
| Requests | HTTP Request Handling |
| BeautifulSoup4 | HTML Parsing |
| JSON | Report Generation |
| Docker | DVWA Deployment |
| DVWA | Vulnerable Testing Environment |
Automated-Web-Vulnerability-Scanner/
│
├── main.py
├── crawler.py
├── scanner.py
├── report.py
├── requirements.txt
├── screenshots/
└── README.md
Acts as the entry point of the application. Handles user input, DVWA authentication, session creation, and scanner execution.
Responsible for crawling web pages, extracting forms and hyperlinks, and performing security header analysis.
Implements vulnerability detection logic including SQL Injection, Blind SQL Injection, Time-Based SQL Injection, and XSS testing.
Generates and stores vulnerability findings in JSON format.
Clone the repository:
git clone https://github.com/Dushyant479/Automated-Web-Vulnerability-Scanner.git
cd Automated-Web-Vulnerability-ScannerInstall dependencies:
pip install -r requirements.txtStart DVWA using Docker:
docker run --rm -it -p 8080:80 vulnerables/web-dvwaOpen:
http://localhost:8080
Login Credentials:
Username: admin
Password: password
Reset the database before testing.
Execute:
python main.pyEnter the target URL when prompted.
Example:
Enter target URL: http://localhost:8080/vulnerabilities/xss_r/
Are you testing DVWA? (yes/no): yes
The scanner is capable of identifying:
- SQL Injection
- Blind SQL Injection (Boolean-Based)
- Time-Based SQL Injection
- Cross-Site Scripting (XSS)
- Missing Security Headers
Example security headers checked:
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
- Strict-Transport-Security
- X-Content-Type-Options
Detected vulnerabilities are stored in JSON format:
{
"url": "http://localhost:8080/vulnerabilities/xss_r/",
"type": "XSS",
"payload": "<script>alert(1)</script>",
"severity": "Medium"
}
- Limited support for JavaScript-heavy applications
- Basic session management
- Possible false positives
- Limited URL parameter testing
- Graphical User Interface (GUI)
- Multi-threaded Scanning
- Improved Session and CSRF Handling
- Additional OWASP Vulnerability Checks
- Export Reports in PDF and HTML Formats
Dushyant Chaudhary