This project is a comprehensive web security scanning tool designed to identify and report vulnerabilities in websites. The application consists of a full-stack architecture with Python/Flask backend services and JavaScript frontend. The tool provides a user-friendly interface to scan websites for common vulnerabilities, generate reports, and visualize security scores.
The application follows a client-server architecture with the following components:
-
Main Security Scanner Backend
- Core scanning functionality for detecting vulnerabilities
- Handles HTTP request analysis and security header checks
- Implements SSL/TLS security assessment
- Provides vulnerability detection for SQL Injection, XSS, and form vulnerabilities
- Technology detection capabilities
-
Report Generation Backend
- AI-enhanced PDF analysis service for vulnerability reporting
- Extracts text from uploaded security PDFs
- Integrates with OpenAI API to analyze vulnerabilities
-
Frontend Components
- Report generation functionality
- Security score calculation and visualization
- Security Header Analysis: Checks for missing security headers like Content-Security-Policy, X-Frame-Options, etc.
- SSL/TLS Assessment: Verifies certificate validity, supported protocols, and identifies vulnerabilities
- Configuration Analysis: Identifies security misconfigurations in HTTP settings
- Vulnerability Detection:
- SQL Injection testing with various payloads
- Cross-Site Scripting (XSS) detection
- Form vulnerability analysis
- Technology Detection: Identifies web technologies, frameworks, and server types
GET /: Serves the frontend applicationGET /<path:filename>: Serves static filesPOST /scan: Main endpoint that performs security scanning- Returns comprehensive security assessment results
This service is designed to extract text from security report PDFs and analyze them using AI.
- PDF Text Extraction: Extracts text from uploaded PDF files
- AI-Enhanced Analysis: Uses OpenAI GPT-3.5 Turbo to analyze security vulnerabilities from the generated report
- Memory-Efficient Processing: Implements strategies to handle PDFs with large file sizes
POST /api/upload-pdf: Handles PDF uploads and returns vulnerability analysis- Accepts multipart form data with a PDF file
- Returns AI-generated analysis of vulnerabilities detected in the report
The generateReport() function creates comprehensive PDF reports of security scans using jsPDF.
- Title page with scanned URL and timestamp
- Security score visualization
- Detailed sections for:
- Missing security headers
- Security misconfigurations
- SSL/TLS analysis and certificate details
- Detected vulnerabilities (SQL Injection, XSS, vulnerable forms)
- Technology detection results
The frontend implements a scoring feature that calculates a security score based on detected issues.
- Results Display: Shows a summary of scan results with color-coded indicators
- Score Visualization: Circular progress indicator that changes color based on score
- Report Download: Button to generate and download comprehensive PDF reports
The application checks for the presence of critical security headers:
- Strict-Transport-Security: Protects against MiTM attacks by forcing HTTPS
- Content-Security-Policy: Prevents XSS and injection attacks
- X-Frame-Options: Prevents clickjacking attacks
- X-Content-Type-Options: Prevents MIME sniffing
- Referrer-Policy: Controls referrer information
Comprehensive SSL/TLS security assessment including:
- Certificate validation and expiration checking
- Protocol support analysis (identifying insecure TLS 1.0/1.1)
- Cipher suite evaluation
- Security best practices verification
The application uses a variety of SQL injection payloads to test URL parameters and form inputs, including:
- Basic SQL syntax testing (
',") - Authentication bypass attempts (
' OR '1'='1) - Database manipulation payloads (
1'; DROP TABLE users; --) - Union-based injection attempts (
' UNION SELECT 1,2,3 --)
Tests for XSS vulnerabilities with payloads like:
- Basic script execution (
<script>alert(1)</script>) - Event handler injections (
<img src=x onerror=alert(1)>) - JavaScript URI schemes (
javascript:alert(1)) - HTML attribute injections
- DOM-based XSS vectors
- Identifies insecure form implementations
- Tests each form field with various payloads
- Detects reflection of unsanitized input
- Enter a target URL in the input field
- Click the scan button to initiate the security assessment
- Review the comprehensive results:
- Overall security score
- Missing security headers
- Detected vulnerabilities
- SSL/TLS configuration issues
- Identified technologies
The generated PDF report contains:
- Security score and summary
- Detailed vulnerability assessment
- Technical findings organized by category
- Certificate details for HTTPS sites
- Technology stack information
To utilize the AI analysis feature:
- Upload a security report PDF (max 2MB)
- The system will extract text and analyze vulnerabilities
- Review the AI-generated assessment of security issues
- Python 3.6+
- Flask web framework
- Required Python libraries:
- requests
- BeautifulSoup4
- PyPDF2
- OpenAI Python client
- python-dotenv
- flask-cors
- OpenSSL
- HTML5, CSS3, JavaScript
- jsPDF library for PDF generation
This web security scanner provides a comprehensive solution for identifying security vulnerabilities in web applications. By combining automated scanning with AI-enhanced analysis, it offers both technical details and actionable insights to improve web application security posture.